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Abstract 

In cyber-physical systems, software may control safety-significant operations. This report discusses a method 
to structure software testing to measure the statistical confidence that algorithms are true to their intended 
design. The subject matter appears in two main parts; theory, which shows the relationship between discrete 
systems theory, software, and the actuated automaton; and application, which discusses safety demonstration 
and indemnification, a safety assurance metric. 

The recommended form of statistical testing involves sampling algorithmic behavior in a specific area of 
safety risk known as a hazard. When this sample is random, it is known as a safety demonstration. It provides 
evidence for indemnification, a statistic expressing an assured upper bound for accident probability. The 
method obtains results efficiently from practical sample sizes. 
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Chapter 1 


Prologue 

1.1 Copyright 


This document may be freely copied or modified in accordance with the Creative 
licens^H- 


Commons Attribution 


1.2 Executive summary 


In systems of integrated hardware and software, the intangible nature of software raises the question of fitness 
in roles bearing safety risk. Such a safety risk in software, known as a hazard, is a region of code involv¬ 
ing safety constraints (requirements) necessitating some degree of verification. Hazards are identified and 
monitored by safety engineers, and possess hypothetical (threatened) frequency and severity ratings. During 
its development, potentially hazardous software merits not only rigorously controlled general engineering 
process, but also quantitative assurance of hazards within particular products. 


1.2.1 Approach 

The topic of this essay is assuring the interplay between safety constraints (requirements) and software con¬ 
trol. Software is appreciated as a branching process whose permutations are intractably numerous to test 
exhaustively. Barring exhaustive testing, statistical verification remains an option. 

The degree of statistical verification will be expressed as residual risk, a contravariant quantity. A software 
item’s total risk has many constituents. For instance, any software communicating with an operator runs 
human factors risk. Statistical safety risk, one constituent of total risk, focuses on hazardous code. Code is 
potentially hazardous if its statistical risk (numerical product of frequency of execution, probability of error, 
and expected safety loss per error) is sufficiently high. 

The subject matter results from applying standard mathematics to a well-known (but cloudy) problem. It is or¬ 
ganized according to a mathematized version of the Joint Software Systems Safety Engineering HandbookQ 
of the United States Department of Defense (2010). This mathematization affords a deeper structural view 

* http://creativecommons.Org/licenses/by/3.0/ 
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of safety engineering. This view inspires a unification of that document’s risk management goals, and exerts 
commonality against its disparate hardware and software risk disciplines. 


1.2.2 Synopsis 

A hazard in software is a region of code involving safety requirements, whose logical correctness is essential 
to safe operation (hazards do not embrace all forms of software error). This condition motivates some degree 
of formal verification of correctness. Hazards are measured according to their statistical risk, which is the 
numeric product of three factors associated with a software point. First is the point’s frequency of execution. 
Second is the probability of encountering error during execution of a code trajectory that reaches the point. 
Third is the point’s severity, its safety consequence (loss) per error. 

Software safety assurance may be accomplished via management of statistical risk. It is organized into two 
phases. First is guestimation, which uses expert opinion to yield a rough ranking of hazard risks, based on 
the three constituents. The subject of this essay is the approximation phase which follows, producing refined 
post-development risk for each hazard. This refinement, following hardware practice, is known as a residual 
risk. 

Data for calculation of each residual risk is drawn from a collection of specially constructed tests called a 
demonstration. Because error is associated with software sequences rather than points, demonstrations exer¬ 
cise a variety of approaching trajectories. Each demonstration does produce a maximum-likelihood estimate 
of the probability of walking into error, but this figure isn’t useful because it is usually zero. Define the indif¬ 
ference upper bound as the upper bound at 50% confidence, so the odds of underestimation balance those of 
overestimation. The indifference upper bound yields unbiased assurance. 

Indemnification is the risk level assured by the indifference upper bound on proportion failing some test 
of a demonstration. The indifference upper bound, which is non-zero, functionally replaces the maximum- 
likelihood estimate. Owing to its definition as a confidence upper bound, indemnification is also a quality 
assurance metric on completeness of safety testing relative to risk level. This essay proposes a re-unification 
of hardware and software risk, prescribing that statistical risk become the common standard bearer. 


1.2.3 Significance 

Profound difference exists between this essay’s proposal and current standards such as MIL-STD-882E and 
its companion Joint Software Systems Safety Engineering Handbook. Present adherents of MIL-STD-882E 
must break new procedural ground if they intend to evaluate statistical risk. The protocol confuses statistical 
assurance with other techniques for design vetting. Perhaps in an effort to encompass both, the standard’s 
analysis describes a hierarchy for software based on safety impact: potential human intervention, redundancy, 
or level of safety responsibility. This protocol’s measure is a hierarchy of discrete categories rather than a 
continuum variable. It may enable some types of analysis, but it renders statistical risk assessment impossible. 

These standards modify the definition of risk, preferring to introduce separate risk concepts for hardware and 
software. According to the military standard, statistical risk exists only for hardware, and is consequently lost 
for software. This essay proposes a re-introduction of statistical risk to software, with the result that hardware 
and software risks become interchangeable in meaning. 
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1.3 Apologies 


This essay is not rendered to academic standards of quality; it benefits from no formal literature search 
and was written in isolation. The experienced reader may find terms in nonstandard context. The author 
has strived to maintain consistency, but admits deficiency in standardization of terminology. The author 
apologizes for resulting inconvenience. 

The author also apologizes that the concepts discussed here are nascent. Difficult engineering must be ac¬ 
complished before a mature technology is available for commercialization. 

The author features mathematics centrallyjl presuming undergraduate background and providing necessary 
computer science. This approach risks estranging many worthy engineering readers; however, a mathematical 
foundation is necessary. This essay serves that need. 


1.4 Informal introduction 

1.4.1 Hall’s definitions 

The concept of system is intuitively obvious but describing its analytical properties is tricky. A famous 
example appeared in Hall’s 1962 treatise on systems engineering methodology ^ p. 60ff]. Hall proposes 
succinct definitions of the terms system and environment: 

• A system is a set of objects with relationships between the objects and between their attributes. 

• For a given system, the environment is the set of all objects outside the system: (1) a change in whose 
attributes affect the system and (2) whose attributes are changed by the behavior of the system. 

These definitions allow a component to belong either to the system or the environment, because Hall’s defini¬ 
tions are ambiguous (different phraseology is used that is actually equivalent). Our regimen modifies Hall’s 
historical definitions to remove ambiguity; systems will be regarded as all-inclusive. From the standpoint 
of relevant influences, there simply is no “outside” influence. We clarify that a system is characterized as a 
sequence of stimulus and response. Below “component” is a synonym for “object.” These descriptions still 
suffer some circularity: 

• A system is the set of all components having attributes, changes to which affect the system’s response. 

• The environment is the set of all components inside the system whose attributes are not affected by the 
system’s response. 

In summary, the environment affects the system’s response, but the system response does not affect the 
environment’s attributes. Factors outside the system may influence the environment’s attributes. 


1.4.2 Classification 

In a system, the terms mechanism, construct, and model have specially differentiated meaning. 

^The author is a retired software safety engineer, not a mathematician. 
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• Mechanisms are abstractions, not necessarily separable, whose structure emulates all behaviors of a 
given phenomenon. 

• Constructs are isolatable substructures of a mechanism, for examining particular behaviors. 

• Models interpret a behavior of a construct in terms of alternate infrastructure. 

Exempli gratia, hardware and software are mechanisms and operational prohles are constructs, while safety 
risk is a model. A description of major mechanisms, constructs, and models follows. 


Hardware mechanism 

The dynamics of hardware components is portrayed as constrained real time trajectories over a state space. 
A trajectory is a mapping from time into state space. A constraint relation is an alternative expression for 
what is familiar as an equation or inequality of state; it is merely a substitute for an equivalent equation. It is 
characteristic of systems that at any time, intersecting constraints delimit apparently independent choices so 
that just one is valid. Interacting constraints endow hardware with capabilities. Constraints can be classihed 
according to their engineering signihcance. A violated safety constraint jeopardizes life, health, equipment, 
or surroundings. 


Software mechanism 

Theoretical investigations of discrete reactive system^ (or software) can be accomplished using a simple 
substitute for programming languages: the automaton. Automata are purely mechanistic structures posi¬ 
tioned in the machine/language spectrum somewhere between the Turing machine and the Gurevich abstract 
state language (ASM). Beside its adequacy for examining theory, automata avoid selection of a preferred 
programming language, which would unnecessarily particularize concepts intended to be general. 

Automata perform work in discrete units called steps. A sequence of steps is further known as a walk. This 
essay presents the actuated automaton, a variant form whose work is deterministic conditional sequencing 
and application of instructions. Instructions are represented by mathematical morphisms, collectively known 
as functionalities. The order of these functionalities is governed by the actuated automaton through its state. 
Iteration of an actuated automaton emulates an operating program. 


Reactive mechanism 

Reactive systems characteristically need some means to transfer external stimuli. The reactive mechanism 
contains structures enabling the hardware and software mechanisms to inter-operate cohesively. The nature 
of time differs between the two; time is a continuum in hardware while it is discrete in software. The clock 
synchronization permits integration by specifying an ordered cross-reference between discrete and real time. 

Remaining is need for inter-mechanism communication. Two forms exist: 

• Sensors convey information about the hardware environment to the software mechanism. Using the 
clock synchronization, a real-time trajectory is sampled into a sequence of events. 

• Transducers map a point of the software state into a trajectory in hardware. This trajectory is called a 
control. 

^ A reactive system responds to its environment, or external stimuli. 
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Cone construct 


The actuated automaton has a generalized inverse called the converse. Through reiteration, the converse 
constructs a partially ordered set (poset) of effects and potential causes. This poset is not linear because an 
effect may have more than one preceding cause. 

A cone is the result of decomposing the poset into constituent chains called reverse walks. Viewed as forward 
walks (reversing the reverse walks), these chains are ordinary sequences of causes and consequent effects. 
The collection of forward chains converges to a point known as the crux, while the cone diverges from the 
same point. One subcomponent of a cone is its edge, which is the collection of steps radially opposite the 
crux. 


Operational profile construct 

As previously mentioned, automata accomplish work in units called steps. An operational profile is a measure 
of a step’s excitation probability relative to a reference set of steps. 

The “reference set of steps” itself historically represented a software usage pattern, so it sought to resemble 
the natural mix of functionalities in deployed software. This idea is abstracted to a potentially purposeless 
reference set, but the software usage pattern remains important. From the usage pattern, along with the 
automaton’s static logic, arises the very notion of probability. 

An operational profile may be applied to the edge of a cone. 


Safety risk model 

Accidents occur haphazardly with varying frequency and severity. In the context of software, risk expresses 
the potential impact of algorithmic design errors. Since its true extent is unknown, software safety risk is 
expressed as a statistical hypothesis. The compound Poisson process is a model simulating discrete event- 
based losses that accumulate with passing time. It offers the advantage of independent parameterization of 
the loss’ intensity (frequency) and severity. Indemnification is statistical assurance of software safety. 

1.4.3 Principle of emergence 

Emergence mi is a broad principle of physics describing a process whereby larger entities possessing a 
property arise through interactions between simpler entities that themselves do not exhibit the property. Par¬ 
ticularized to software testing, the “principle of (weak) emergence” is that erroneous software can do no 
actual harm until certain of its values emerge from the realm of digital logic into a physical subsystem. This 
principle inquires both into mechanics of transduction, and how transducible values come into being. The au¬ 
tomaton of the software mechanism answers the latter question. If software hazard is to be evaluated starting 
at points of transduction and proceeding backwards through internal logic, then the automaton must support 
reverse inference - meaning reversed in computational order, from final conclusion to possible premise (see 

ora . 
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1.5 CHOICE FORK 


Chapter 2 (Discrete Systems Theory) details relationships between systems theory and automata. From a 
mathematical standpoint the material is necessary, but there are readers for whom this chapter would duplicate 
existing knowledge. After verifying their understanding of operational profiles, section IZTl they are invited 
to skip forward to Chapter 3. 

Chapter 2 is summarized here to decide whether to skip it. Software is described using a triad of structures; 
the process, the procedure, and the path; not all are independent. Rudiments underlying these structures 
consist of ensembles and Cartesian products. Walks, the actuated automaton, converse automata, reverse 
walks, and cones follow. 

Those desiring detailed introduction to fundamentals may access Appendix lAl which reviews groundwork 
and notation used here. Its highlights include that an ensemble is a mapping from a set of stimuli into a set 
of responses. Ensembles are denoted by uppercase Greek letters such as T'. The general Cartesian product of 
an ensemble, called a choice space, is denoted T*. 
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Chapter 2 


Discrete systems theory 


Discrete systems theory (software) is identified with the actuated automaton. 


2.1 Process 


Chains of stimulus and response characterize reactive discrete systems. In this chain, successive links are 
not independent; the response effected in one link feeds forward into the stimulus of the following link. 
For instance, in a system of cog-wheels and escapements, gear train movement accomplished in one stage 
of operation becomes input to the next. A formalism called a process captures this notion of sequential 
inheritance. We assemble processes from a simple unit called the frame, which is two-part structure consisting 
of starting and ending conditions. A process is a sequence of frames such that the starting condition of each 
frame subsumes the ending condition of its predecessor frame. Interpreted in systems language, a frame’s 
starting condition is a stimulus and its ending condition is a response. Current response re-appears as part of 
future stimulus. 

Definitions of ensemble and related basic concepts appear in Groundwork, Annendix lA.ll ff. 

Definition 2.1.1. The pair of ensembles ('k, $) is a basis if $ C 'k. 

It is necessary to represent states (variables) which are used but not set - so-called “volatile” variables. For 
example, such variables can hold the transient values of sensors. The remainder T' \ $ is the generating 
ensemble of volatile variables (see terminology following definition lA.3.41 i. 

Definition 2.1.2. The frame space F of basis ('k, $) is the set 'k x 4>. A member f G F is z. frame. 

Terminology. Let f = {ft, f) Gj^T'xJ^'kbea frame. The choice '0 G T* is the frame’s starting condition 
(abscissa) and 0 G H '^he frame’s ending condition (ordinate). 

Two frames may be related such that the ending condition of one frame is embedded within the next frame’s 
starting condition. This stipulation is conveniently expressed as a mapping restriction: 

Definition 2.1.3. Let (T*, $) be a basis with frames f = {ip, (p), i' = {ip', 0') G H ^ 0 Frame f 
conjoins frame ip'\ dom $ = 0. 

Notation. A sequence in a set S is some mapping cr: N —> S' - that is, a G S^. The anonymous sequence 
convention allows reference to a sequence using the compound symbol {s„}, understanding s € S. Formally, 
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the symbol Si denotes that term (i, Si) € {sn,}. The convention is clumsy expressing functional notation; for 

r -1 / N • 1®"} 

instance Si = means i M- Si. 

Definition 2.1.4. Let (T', T*) be a basis with sequence of frames {f„} : N —T' x T*. The sequence is 
successively conjoint if f^ conjoins fi_|_i for each i > 1. 

Definition 2.1.5. With (T', $) a basis, a process is a successively conjoint sequence of frames N —^ T' x 

n$. 

Definition 2.1.6. Let (T', $) be a basis with frame space F = T' x $. Define the abscissa projection 
absc : F —T* by (ip, (/>) ip. Define the ordinate projection ord : F $ by {ip, (p) (p. 

Definition 2.1.7. Let (T', $) be a basis with persistent-volatile partition T* = (see appendix ilA.4l) . 
Suppose f is a frame in T* x $. The reactive state of frame f is ip — cp^ = absc f. The event or 
volatile excitation state of frame f is ^ = (abscf) | domS. Similarly, the persistent state of frame f is 
(p = (abscf)|dom$. 

Terminology. Process concepts interpret into systems language. The reactive space T* contains the system 
stimulus. Sequential conjointness allows circumstantial interpretation of the choice space $. It is the 
system’s response in the context of the frame ending condition. To place $ in context of the frame’s 
reactive state, the Cartesian product T* = n(^ I dom T*) = (0 d') I dom T* [by theorem rA.3.17ll is the 
persistent state space. Using this nomenclature, sequential conjointness is summarized that each frame’s 
response becomes the next frame’s persistent state, symbolically ordf^ = abscfi+i jdomd). 


2.2 Procedure 


The procedure is useful to portray a process frame as a transformation from the stimulus space to the response 
space. To distinguish such transformations from other mappings, we use the special term “functionality” and 
stipulate that the collection of functionalities is a finite set called a catalog. The term “catalog” will later be 
applied to resource sets identified with an automaton. 


2.2.1 Functionality 

The functionality generalizes the frame. If = {ipi, (pi) is the process frame, this concept permits writing 
4>i = fi{4’i)^ where fi is some functionality belonging to catalog 

Definition 2.2.1. A functionality is a mapping whose domain and codomain are choice spaces (definition 
IA.3.41) . with the codomain a subspace (definition lA.3.161 l of the domain. 

Lemma 2.2.2. Let (dr, $) be a basis. Any mapping f: dr — <i> A a functionality. 

Proof. As a basis, definition 12.1.11 establishes that 4' and T* are ensembles with $ C tp. Since 4/ and 4) 
are ensembles, definition lA.3.41 asserts that 4* and 4) are choice spaces. Theorem lA.3.21l r)rovides that 
n 4> is a subspace of 0 d' because 4> C 4'. By virtue of / S 11^''^'*', then /: H 4* —4> is a mapping 
from one choice space to another, which is a subspace of the first. These conditions satisfy the premises of 
definition l2.2.1l □ 

Remark (functionality versus function). In its programming sense, the term “function” will not be used here. 
A mathematical functionality differs from a software function; functionalities lack arguments. By virtue of 
its calling protocol, a programming function is effectively a class of functionalities. 
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2.2.2 Procedure 


Procedures are sequences in a finite set of functionalities; 

Definition 2.2.3. Let (4', $) be a basis. A finite subset ^ C JJ ^ is a catalog of functionality. 

Definition 2.2.4. Let ('I', $) be a basis and ^ ^ Y[ be a catalog of functionality. A procedure is a 
sequence {/„}: N —?> 

After noting the functionality’s successful generalization of the frame, the next question is whether the pro¬ 
cedure correspondingly abstracts the process. We hnd that not all processes are “computable” as procedures 
based on a finite number of functionalities. 


2.2.3 Covering 

The relation holding between frame f G T* x $ and functionality /: T' —T* is membership; 

either f G / or f ^ /. 

Definition 2.2.5. Let f be a frame and / be a functionality. The functionality covers the frame if f G / (that 
is, f = ('(/',(/') = i'ipJiit))). 

Definition 2.2.6. Let {f„} be a sequence of frames and {/„} be a procedure. The procedure covers the 
sequence of frames if G fi for each f > 1 (that is, = ('0^, (j>i) = ('0i,/i('0i))). 

Any procedure covers some process. 

Theorem 2.2.7. Let (T', T*) be a basis with persistent-volatile partition T* = and catalog of functionality 

. Suppose {/ra}: N —A a procedure. For each choice of persistent state G ]^4> and volatile 
excitation sequence {^n} G ( there is a process {fn}: N —> x 04> such that the procedure 

covers the process. 

Proof. The persistent state p and volatile excitation {^„} are given. Inductively dehne sequence {fn} using 
base clause fi = p and recursive clause fi+i = for f > 1 (dyadic notation, dehnition lA.3. lOl ff). 

We hrst show that the sequence {0„} lies in $. Through p, dehnition 12.1.71 provides that 01G n $. For 
the iterative part, the hypothesis fi €Y[^ implies that fi^i G H ^ Theorem lA.3.141 Since f maps T* 
to nthen= fi+i G n This chain of implication concludes that (0^ S H ifi-vi G 

Use {fn} and {^„} to define another sequence {f„} by setting = {fi^i,fi+i). Since fi^i G H'f' ™tl 
fi+i G n ‘f*’ then {fi^i, fi+i) G 'll x $ so {f„} is a sequence of frames. Note that = {fi^i, fi+i) 
and £i+i = {fi+i^i+i,fi+ 2 )- In this case, the sequence is successively conjoint (dehnitions 12.1.31 and 
12.1.41) because fi+i^i+i \ dom $ = ft+i. As a successively conjoint sequence of frames, {f„} is a process 
(definition l2.L51 l. 

Since U = and by construction fi+i = fi{f^^^), then = {fi^iJi{f^i^)) and U G f. By 

dehnition l2.2.6l procedure {/„} covers process {f„}. □ 


2.2.4 Uncoverable process 

Although any procedure does cover some process, some processes have no covering procedure. See (|B] 
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2.3 Automata 


The algorithm is conceived as a method to solve problems using a network of mechanistic steps consisting of 
decisions and contingent actions. An automaton is a formal machine whose architecture of states and tran¬ 
sitions concretizes some aspects of the algorithm. The deterministic finite automaton (DFA, see example in 
IIP, lb is a simple structure describing transit-based behavior. However, the DFA leaves unexplained the work¬ 
ing mechanism underlying transitions. The DFA’s definition can be modified to effect closer alignment with 
our notion of software algorithm. The result is the actuated automaton, which mechanizes logic using struc¬ 
ture analogous to programming language. An informal analogy between an automaton and a programming 
language will be proposed at the end of this section. 


2.3.1 Locus 

A formalization of the algorithm’s stepwise network of decisions and actions requires some means of indicat¬ 
ing one’s place in the overall method, to track what is current and what is next. We provide this in the form 
of a set of loci, which serve as labels for the “locations” implicit in a program or algorithm. 

Definition 2.3.1. A catalog of loci is a finite non-empty set A, each member A of which is called a locus. 

Definition 2.3.2. Let A be a catalog of loci. A path is a sequence {A„} : N ^ A. 

2.3.2 Summary 

We now identify the components of a walk, the three fundamental P’s: 

• A path is a sequence in the catalog of loci A. 

• A process is a conjoint sequence in the frame space F = T' x T*. 

• A procedure is a covering sequence in the catalog of functionality 

2.3.3 Auxiliary mechanisms 

Definition 2.3.3. Let be a catalog of functionality on basis (T*, $). An actuator a is a mapping a : T* —^ 

^ from the process stimulus space to the catalog of functionality. 

In other words, any a G is an actuator. 

Definition 2.3.4. A catalog of actuation is a non-empty finite set A C ^ of actuators. 

With each locus is associated exactly one designated actuator: 

Definition 2.3.5. Let the locator be a surjective mapping £: A ^ A. 

To permit each actuator to be located, it is prerequisite that | A| < | A| (the number of actuators is less than or 
equal to the number of loci). 

Definition 2.3.6. Let A be a catalog of loci. The jump function is a mapping A: A x T* ^ A. 
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2.3.4 Actuated automaton 


Definition 2.3.7. The structure 2t = (T', A, A, I, A) of an actuated automaton consists of seven syn¬ 
chronized catalogs: a basis ('h, $) with catalog of functionality catalog of actuation A, catalog of loci A, 
locator function i, and jump function A. 

Terminology. Automata exist in many varieties. Since the actuated automaton occupies the entire present 
scope of interest, we forgo mandatory use of the qualifier “actuated.” 


2.3.5 Programming language analogy 

The automaton ('h, A, A, .f, A) of definition 12.3.71 resembles an algorithm written in an elementary 
programming language. The following comprise the analogy: 

• the generating ensemble $ of the persistent state space represents ordinary program variables; 

• the remainder ensemble T' \ T* represents volatile external inputs, such as sensors; 

• functionalities of the catalog represent blocks of program assignment statements; 

• actuators in A implement if-then-elsif-else decisions, 

• the jump function A is a “goto” indicating the next point of execution, and 

• loci in A are labels serving as “goto-able” points of execution. 


2.4 Iteration 


While leaving undefined the notion of a step in an algorithm, we do formalize it for the automaton. Identifying 
a step space leads to defining iterative operators, and hence to iteration. 


2.4.1 Step space 

The step space underlies automata. It is formed by augmenting a catalog of loci to the building blocks of 
processes and procedures, namely frames and functionalities. 

Definition 2.4.1. Suppose A is a catalog of loci. Let basis (fit, $) underly frame space F = T* x T* and 
catalog of functionality C <1)^^ A step space S is the Cartesian product S = A x x F. 

Remark. The volatile excitation, whose generating ensemble is T' \ $, is intrinsically part of the definition of 
step space. Lest this implicit fact be forgotten, we shall adopt explicit but redundant notation as reminders. 

Definition 2.4.2. Let s = (A,/, f) be a member of step space S = A x x F. Define the locus projec¬ 
tion Ua : S — A by setting yA(A,/,f) = A. Similarly define ths frame and/Mncfionafi'fy projections by 
l3FiXJ,{) = f and = f respectively. 

Definition l2.1.3l considers the covering relation between a frame and a functionality. Consistency is the same 
principle applied to the context of a step: 

Definition 2.4.3. Let s = (A,/, f) be a member of step space S = A x x F. The step s is consistent if 
?Af(s) = f G / = y.^(s) (that is, its frame is a member of its functionality). 
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Sequence projection 


Definition 2.4.4. Let § = Ax.^xFbea step space and .y be a denumerable index set. A walk is a 
sequence ^ S of steps (usually ^ will be the natural numbers N). 

Remark. We revisit the three fundamental P’s (path, procedure, and process - il2.3.2b . A walk in step space 
decomposes into these three sequences: walki = (path j, process j,procedure J. This triple is not logically 
independent; being so, shorter characterizations of step space exist. However we retain the present represen¬ 
tation, favoring its three-element formulation, which covers all possibilities in simple fashion. 

Definition 2.4.5. [Extended projection] Let {s„} be a walk in step space § = A x x F and let be a 
denumerable index set (usually N). Use the locus projection Ua : S ^ A of definition |2A2| to construct the 
sequentialpaf/r projection Ua : S*^ ^ A*^ via setting UA({sra}) = {(l ^^a(s)) : (l s) G {■Sn}}- Similarly 
define the sequential process and procedure projections Up : F"^ and : S*^ ^ 

Notation. With {x „}: ^ ^ X sequence in some set X, we alternatively denote the sequence’s term by 
Xi = {xn}{i)- 

Lemma 2.4.6. Let ('!',$) and locus set A be the bases for step space S = A x x F. Let {sn} be o 
walk .y ^ S. For each i & ,y, (UA({5rt}))(i) = UA({sn}(0)’’ ^bat is, the term of the sequential path 
projection equals the locus projection of the step. 

Analogous assertions are true of the remaining sequential projections: (UF({s„}))(j) = UF({s„}(i)) and 
(U.F({s„}))(i) = 0^({s„}(i)). 

Proof. By dehnition l2.4.5] the sequential path projection U a : A*^ is UA({sn}) = {(l^a(s)): {i,s) € 

{s„}}. The i* term of 15 a({ 5„}) is (UA({sn}))(*)- From set builder notation we observe that the i* term 
of the expression {(*, Oa(s)) : (*, s) € {sn}} is UA(si) = UA({sn}(i)). Since the sequences are equal, then 
each of their corresponding terms are equal: (UA({sn}))(*) = UA({sn}(0)- Demonstration is similar for 
the other two sequential projections. □ 


2.4.2 Iterative operators 

Definition 2.4.7. Let S be a step space with basis (T', T*). Suppose the volatile excitation space T' \ $ is 
non-empty. A iterative operator is a mapping U: S —)> S. 


Disambiguation 

An iterative operator maps a step space into itself. One element of a step space is a reactive state space, having 
persistent and volatile components. A functionality maps a reactive state space into the persistent subset of 
itself. 


Walk of iterative operator 

Definition 2.4.8. Let (T', $) be a basis with step space § = Ax.^x(]^T'xf][ T*). Suppose U: S ^ § is 
an iterative operator, step s S S, and {^„} S (volatile excitation sequence. Define inductively a 
sequence of steps by setting si = s and = V{si) for each i>\. The walk of s G § under V, assuming 
sequence of volatile excitation {^„}, is the walk {s„}. 

Terminology. An iterative operator’s z* iteration is its walk’s {i -f 1)* term. 
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2.4.3 Automaton-induced iterative operators 


Iteration of automata guarantees properties not necessarily enjoyed by other classes of iterative operators: 
automata generate consistent steps having conjoint processes. 


Automaton as transformation 

Definition 2.4.9. Let (5', $) be a basis with persistent-volatile partition 'I' = and step space S = A x 
X (n ^ n 'f’)- Let 21 = A, A, A) be an actuated automaton. Let ^ G J][ S be an event 

stimulus and (A, /, f) = (A, /, {ip, (p)) € S be a step. The transform T% induced by 21 is 

(A,/, {ip, (p)) ^ (A',/', {ip', <p')), 


where 


X' = A{X,ip). [next locus] 

/' = {£{A{X, ip))){f {ip)^') [next functionality] 

f' = {ip',<p') = {[f {iP)^'],[{e{A{X,ip))){f {ip)^')]{[f {ip)^'])) [nextframe] 

Remark. A partial unfolding of these expressions’ generators clarifies the roles of components in overall 
mechanism: 

1. Current reactive state is ip = (p^. 

2. Current locus is A. 

3. Current actuator is a = ^(A). 

4. Current functionality is / = s{ip) = {£{X)){ip). 

5. Current frame is f = {ip,f{ip)). 

6. Current step is s = {X,{ip,{£{X)){ip),f{ip))). 

7. Next reactive state is ip' = (p'^' = f{ip)^' (by conjointness). 

8. Next locus is found through the jump function: A' = A(A, ip). 

9. Next actuator is a' = ^(A'), 

10. a'=£{A{X,ip)). 

11. Next functionality is /' = a'{ip'), 

12 . f =[£{A{X,m{i’'\ 

13. f' = {£{A{X,iP))){fm')- 

14. Next frame is f' = {ip' ,f'{ip')), 

15 . {' = {[f{ip)ar{{fm']))^ 

16 . f = {[f{ip)a[{£{A{x,ip)))ifm')]{[fm']))- 

17. Next step is s' = {A{X,ip),a'{ip'), {ip',f'{ip'))). 
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Automaton as iterative operator 


Theorem 2.4.10. Let (4', $) be a basis with persistent-volatile partition = $E! and step space S. Let 21 
be an automaton. The transform Tai: S —^ § induced by 21 is an iterative operator (that is, if s € S, then 
T%{s) G Sj. 

Proof By definition 12.3.71 automaton 2t consists of components ('I', $, A, A, A). Other premises are 
that the iterative operator’s domain is S, the persistent-volatile partition and that ^ H 

Suppose C € n “ s S S. By definition 12.4.11 of step space, there exist locus A G A, functionality 
f G C JJ and frame f = {fi, </>) G 0 ^ 0 that s = (A, {tp, </>),/). 

Definition l2.4.9l calls for application (f(A))(^) to define succeeding functionality/'. Definition l2.3.5l specifies 
£: A -G- A, so a = £{X) G A is an actuator. Definition 12.3.31 specifies a: ^ so application 

/' = (f(A))(^) = a((/)) is a functionality in 

Definition 12.4.91 next calls for evaluating {ft 'the succeeding frame f'. By premise 
/ G n virtue of its origin as a frame ordinate, </ G H Since 4' = then is a valid 

dvadic product and 'ib' = 6£ G Since definition 12.2.31 asserts ^ C n and /' G then 

/': n ^ n With G n '^hen f = /'(</>/) G H Hence f' = {ip', </>') G 4' x $, and f' is 

a frame. 

Finally, definition I2.4.9l calls for the succeeding locus as A' = A{X,ip). Definition 12. 3. 61 specifies the jump 

function as a mapping A: A x f][ 4/ —A. It is established above that A G A and ip G 4', so A' = 

A(A, Ip) G A is a locus. 

With locus A' G A, functionality /' G and frame f' = {ip', (/') G H ^ ^ 0 'V6 then summarize that 

s' = (A', /', {ip', (p')) G S is a step, and conclude that transform T% is an iterative operator S —>■ S. □ 

Notation. Application of the iterative operator Tg induced by automaton 21 is denoted s' = 2l(s). 

Notation. Let S be a step space with automaton 21 inducing iterative operator Tg. The walk of s G § under 
Tg assuming sequence of volatile excitation {^„} is denoted 21^^ j(s). 

Remark. The notation 21^^ j(s) is a reminder of the important role of the sequence of volatile excitations 
{Cri}- While each / is entirely determined by initial frame ip within step s, this notation emphasizes that the 
volatile excitations are essentially free variables. Persistent variables are bound. 


Automaton iterative properties 

Theorem 2.4.11. Let 21 be an automaton and S be a step space with persistent-volatile partition 4^ = 4?S. 
Suppose step s G § and event / G 5. Frame Df(s) conjoins frame Of (21^(5))- 

Proof. By hypothesis / G S and s G §. By definition |2AT] of step space, there exist locus A G A, frame 
f = {ip, (/)) G n ^ ^ n functionality / G such that s = (A,/, {ip, (p)). Definition l2.4.2l establishes 

that 15f(s) = ('0, (p)- 

By Theorem l2.4. lOl the automaton induces an iterative operator, so there exists 21^(5) = (A', /', {ip', cp')) G S. 
Again by definition 12321 ?Jf(21{(s)) = {ip',p'). 

Definition 12.4.91 evaluates f' = {ip',(p') = {<p£,,f'{(p£,)) as the succeeding frame. Definition 12.1.31 asserts 
that frame {ip, p) conjoins frame {ip' , p') if p' \ dom ^ = p. Here p' = 0 /, so p£^ \ dom ^ = phy virtue of 
persistent-volatile partition T' = $S. Thus we conclude {p, p) conjoins {p', p'). 
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Since iJF(s) = (V')'5^)> (V') conjoins and (V’^ </>0 = ^f( 215 (s)), then by transitivity iJF(s) 

conjoins iJF(2t{(5)). □ 


Theorem 2.4.12. Let 21 be an automaton and S be a step space with step s G S and volatile excitation {^„}. 
Sequential process projection ?JF(2t^j } (s)) is indeed a process per definition \2.1.5\ 

Proof. Definition |2T3] asserts that a process is a successively conjoint sequence of frames. To show contra¬ 
diction, hypothesize that the frame sequence Df(21^j }('S)) is not a process. Then there is some index i such 
that frame Up^Si) does not conjoin frame ?JF(si-i-i)- 

Let Si be the z* step of walk From definition 12.4.81 the succeeding step is = 2lj. (si). By 

Theorem l2.4.1 11 frame DF(si) conjoins frame DF(2t{i (si))- This contradicts the conclusion drawn from the 
hypothesis that the frame sequence is not a process, so Up (2l^j }{s)) is a process. □ 

Be a step consistent or not, in automaton-based iteration that step’s successor is consistent. 

Theorem 2.4.13. Let 21 be an automaton and S be a step space with persistent-volatile partition fit = 
Suppose step s G S and event ^ G S. Step 21^ (s) is consistent. 

Proof. By hypothesis C ^ 0 ^ ^*td s S §. By definition |2AT] of step space, there exist locus A € A, frame 
f = (V', <^) e n ^ X n fi>, and functionality f € such that s = (A, (f), (jf),f). 

By Theorem l2.4.10l the automaton induces an iterative operator, so there exists 21^(5) = (A', (f)', f),/') G S. 
By definition |2A2] fjF(2l^(s)) — f' = {f)', f) and D,^(2l^(s)) = /' 

Definition 12.4.91 evaluates f' = ’^he succeeding frame. This complex relation 

separates into simple conditions = 0 ^ and 0 ' = /'( 0 ^) = /'( 0 '). The assertion f' = ( 0 ', 0 ') = 
{'f', f {'f')) bears the same meaning as f' = (0', 0') G /'. 

Definition 12.4.31 states that step 2l^(s) is consistent if Df(21{(s)) = f' G /' = f5,^(2l^(s)), which is here 
satisfied. □ 

Theorem 2.4.14. Let 21 be an automaton and S be a step space with consistent step s G § and volatile 
excitation {^n}. Suppose {sn} is the walk 21^^ }(s)- Sequential procedure projection D^({s„}) covers 
sequential process projection DF({sn})- 

Proof. We have the premises that step s G S is consistent, that {^„} is an excitation, that 21 is an automaton, 
and that {s„} is the walk 2l^^^j(s). We temporarily suppress the repetitive lengthy expression 21^^^j( 5 ) 
through the abbreviation 21^. 

Induction demonstrates that each step of walk 21^ is consistent. For the base clause, the case z = 1 is true by 
hypothesis, since the initial step 21^(1) = s is presumed consistent. For the recursive clause, definition |2A8] 
provides that = 2l(^i, Si) for each z > 1. By theorem [2.4.131 step 2l(^i, sf) = 2l^(z -f 1) is consistent. 
By the axiom of induction, step 2l^(z) is consistent for each z > 1. 

By definition l2.4.3l and the conclusion that step 2t^lzl is consistent for each z > 1, it follows that Df (21^(0) G 
0,^(2t^(z)), also for each z > 1. 

Substituting 21^ = {s„} into lemma 12.4.61 yields frame (?JF(2t’^))(0 = Df( 21^(0) and functionality 
(0.^(2t’*^))(z) = U.^(2l^(z)). From equality it then follows that (?JF(2t’^))(0 G (U.^(2t^))(z) for each 
z > 1. In simple language, the z* term of the process projection is a member of the z* term of the procedure 
projection. This satisfies the requirement of definition l2.2.6l that the procedure covers the sequence of frames; 
fi G fi for each z > 1. □ 
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2.5 Reverse inference 


The construction of automata provides that steps unfold in sequential fashion - that is, the next step becomes 
known after completing the current step. Consequently automata inherit an intrinsic “forward” orientation. 
It is also reasonable to inquire what may have occurred in previous steps. This question is the motivation for 
reverse inference, which considers automata operating backwards. 


2.5.1 Iterative converse 

Let (T*, <1>) be a basis with persistent-volatile partition 'k = and step space S = A x x (fl 'I' x 0 ^)' 
Suppose step s = (A,/, ('0, </))) € S, whence the volatile excitation of s is ^ = '(/;|domS. 

Definition 2.5.1. Let (dr, $) be a basis with step space § and iterative operator L: S — > S. The iterative 
converse of V is the mapping L: § —,^(S) defined by 

V{s) = {s G §: V{s) = 4, 

where ,^(S) denotes the power set of § (in other words, the iterative converse is a mapping from a step to a 
set of steps). 


2.5.2 Converse actuated automaton 

An actuated automaton 21 = (dr, A, A, A) induces an iterative operator on step space. Reverse 
inference is identifying all immediate predecessor steps s„_i such that = 2l(s„_i). We have obviously 

a(5) = {5GS : 21(5) = s}. 

Remark. Although referring informally to the converse % of an automaton 21, speaking precisely we have 
defined the converse 5 of a step s G S within the step space associated with that automaton. 

A system of equations ensues with subscripted variables known and held constant, and unsubscripted vari¬ 
ables free. Roots of the system represent discrete solutions. Let us look carefully at the further case that 
s = (A,/,f) = (A,/,(r/>,</)))GAx,^xF. 

§(Ao,/o,fo) = {(A,/,f)G§ : 2l(A,/,f) = (Ao,/o,fo)} 

a(Ao,/o, (4, M) = {(A,/, (V', 4) e S : 2l(A,/, (V^, 4) = (Ao,/o, (4,0o))}. 

2.5.3 Constraining equations 

State transition in an actuated automaton is built in three successive phases: locus state, functionality state, 
and frame state. 

Definition 12.4.91 presents rules governing forward state transition in the form of three equations, portraying 
cuiTent state as known and unknown future state as uniquely determined by formulas. This sense can be 
reversed, with current state known and feasible past states represented as unknowns. 

The automaton-induced/orwarii transformation 21: S — > S has been set (definition |2A9|l as 

A' = A(A,V’), 

f' = = {[fwa 
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The respective governing backwards transformations are 


Ao = A(A,V’), 

/o = (£(A(A,V')))(/WCo), 

fo = (V’o,</>o) = ([/(V')Co], [(^(A(A,V’)))(/(V')Co)]([/(V')Co]))• 
Due to conjointness, ipQ = /(V’)Co = throughout; 

Ao = A(A,V'), 

fo = (^(A(A,'i/’)))(V'o), 

fo = (fJoAo) = (V'O, [(^(A(A, V')))(V’o)]('*/'o)]))- 

Substituting Aq = A(A, ip) ao = •^(Ao) into the last two formulas, 

Xo = A{X,iP), 

fo = (^(Ao)(V’o) = ao('0o), 

fo = iipo,(po) = iipo,[iiiXo)){ipo)]{ipo)])) = (V'o, [ao('0o)](V'o)]))- 

Finally, substituting /o = ao('!/'o) into the last two formulas, 

Ao = A{X,ip), 
fo = fo, 

fo = (V’o,/o(V’o)) = fo- 

Only the first of these is a “real” constraint; the others are identities. 


2.5.4 Solution set 

A feasible set for an equation is the collection of values that satisfy the equation. Producing the solution for 
a system of constraining equations involves intersecting the individual feasible sets Qi. The general solution 
set for the system of equations is Q = Cl^Qi- 

The case of the converse automaton 21 consists of three constraining equations ( 112.5.31 1. First of these is Aq = 
A(A, Ip). Let § = Ax,^x(]^T'x]^$)bea fully elaborated step space. In set-builder notation the feasible 
set is Qi = {(A,/, {ip, (p)) € §: Aq = A(A, ip)}. The other constraints are identities, which all members of 
S satisfy - in other words, Q 2 = Qs = §. The general solution is Q = Qi fl (32 H Qa = Qi fl § fl § = Qi, 
01 Q = {(A,/, {ip, (p)) G S: Aq = A(A, ip)}. An understandable abuse of terminology says that the solution 
set is Aq = A(A, ip), which is technically a constraining equation. 


2.6 Cone 


A cone is a construct prepared with the iterative converse of an actuated automaton. It consists of all finite 
backwards walks converging to a given point. The term “cone” is more ideologic than geometric. 
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2.6.1 Description 


The actuated automaton possesses a non-deterministicQ converse relation. See il2.5.1l 

A collection of reverse walks is realized through repetitive re-application of the converse, converging to a 
designated crux step. These iterative chains may be localized (trimmed to finite length) by enforcing some 
stopping criterion. This construction results in the cone, a structured set of possible localized walks eventually 
leading to the crux step. The starting points of such walks are known as precursor steps of the crux step. 


2.6.2 Inductive generation 

Definition 2.6.1. Let § be a step space containing crux step Scmx- Suppose F: S —§ is an iterative operator 
with converse V: § ^ 

(base clause) Let base protoset = {scmx} be the 0* predecessor generation of Scrux- 
(inductive clause) The (n + generation predecessors are defined in terms of the n* generation: 

4^+1) = U !/(,). 

Remark. This definition places protoset = V (scmx)- 

Remark. For a discussion of protoset G^^ in context of the Cartesian product, see Appendix ilA.3.11 

2.6.3 Partial order 

Membership in a converse iterative operator induces a partial ordering: 

Definition 2.6.2. Let S be a step space with converse iterative operator F: S —>■ J^(S). If s' G C(s), then s' 
precedes s, written s' < s. 


2.6.4 Predecessor walk 

A predecessor walk begins at step sq = Scmx and proceeds backwards, indexing through the negative integers. 
In this case we abuse the proper sense of the term “sequence” by permitting an indexing not being the natural 
numbers. 

Definition 2.6.3. Let § be a step space. A localized predecessor walk starting with step sq = Scmx is a finite 
sequence in step space such that Si-i -< Si for every i < 0. 

Remark. For example in the case i = —2, we have s _3 ^ s_ 2 . 

Since a localized predecessor walk w is a finite sequence of steps, then it has a finite number of terms which 
run in index i from — (n—1) <i <0, where n = | w| < oo is the number of steps in w. 

Definition 2.6.4. A set W of localized predecessor walks, all starting at wo = Scmx. is complete if 
V(w G W)V(-(|w;| -2)<i< 0)V(s G V{w^))3{e g W) : Wi = A s = d-i. 

* That is, the converse is not generally a pointwise invertible mapping as suggested by the term inverse. 
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Remark. Completeness assures combinatorial diversity. An algorithm equivalent to the above one-liner is: 

for each w in W begin 

# number of steps in localized walk is |?/;| 

# abused index runs between 0 [for start step Wcmx] and — (|m;| — 1) [last predecessor step] 

# no iteration through i = — {| w| — 1) because then s == e^-i below would be undefined 
for i = 0 downto — (| w| — 2) begin 

for each s in C (wi) begin 

if there is a member e £ W such that Wi == and s == e^-i then 
answer = TRUE 

else 

answer = FALSE 

if answer == FALSE then return FALSE 

end 

end 

end 

return TRUE 


Definition 2.6.5. Let w and w' be localized predecessor walks starting at wo = Wq = Scmx- Suppose the 
length of w is |i(;| = n and the length of w' is \'w'\ = m, with m < n. If w'{i) = w{i) for every 
— (m — 1) < i < 0, then w and w' are dependent with w' dispensable. 

Definition 2.6.6. Let W be a set of localized predecessor walks starting at sq = Scmx- The set is independent 
if it contains no dispensable member. 


2.6.5 Cone 

Definition 2.6.7. A cone C is a complete independent set of localized predecessor walks starting at Scmx- 

Remark. [Stopping rule] We avoid the specificity of various stopping criteria ( il2.6.11 l by introducing the 
equivalent but arbitrary notion of localization. 

Definition 2.6.8. Let C be a cone with w G C a member localized predecessor walk. Suppose n = | w | is the 
number of steps in w. The terminus w{—{n — 1)) = w_(^n-i) is the edge step of walk w. 

Definition 2.6.9. Let C be a cone. Its edge, written edge C, is the collection of edge steps of all member 
localized predecessor walks. 

Definition 2.6.10. An acyclic cone has no cycle (loop) in its path projection 13a (see il2.4.5l) . 

Theorem 2.6.11. The acyclic cone C and edgeC are in one-to-one correspondence via the edge step relation 
of a localized predecessor walk. 

Proof. Assume the opposite: there are different localized predecessor walks with the same edge step. Let u 
and V be two different walks with common edge step Scommon- 

Suppose \ u\ = m and |?;| = n, so the indexes of Scommon are — (m — 1) and — (n — 1) respectively. 

We assert that if for some 0 ^ then (n— i)+(i+i)- 

Suppose sequencing is governed by an actuated automaton 21. So sequenced, the next step in predecessor 
walk u is = 21 (m_(„_i)+,). Similarly, the next step in v is u_(„_i)+(i+i) = 2l(z;_(„_i)+i). 
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But if then 2l(w_(^_i)+,) = = ^{s). By transitivity of equality, 

{m —l) + ('i+l) 21(5) . 

Without loss of generality suppose m < n. Then u_(m-i)+z = v_(^n-i)+i is true for z = 0,1, ... m — 1. 
At z = m — 1 we have Scmx = uo = v_i^n-i)+{m-i) = 'f-(n-m)- Since z; is a localized predecessor walk of 
a cone, then vq = Scmx- But vq = Scmx = Because the cone is assumed acyclic, vg and v_(^n-m) 

must then be the same identical step - that is, m = n. 

Here the assumption of two different local predecessor walks with the same edge step leads to the contradic¬ 
tion that both are indeed the same identical walk. This means local predecessor walks within an acyclic cone 
C are in one-to-one correspondence with edge C via the edge step relation. □ 


2.7 Operational profile 


An operational prohle is a limit of the cumulative history of software execution ratios under normal operations 
(which is troublesome to define). 

Remark. This section frequently uses the compound idiom that {x„} represents an anonymous sequence of 
objects of the same type as x. That is, if X is the set of all Xi, then {x„}: N —^ X. 


2.7.1 Musa’s operational profile 

Musa et al intended operational prohles as a tool for analysis of software reliability. A notion of the oper¬ 
ational profile appeared in their pioneering exposition lO. This reference gives a definition in terms of the 
program’s higher purpose, as reflected in run types. Consequently an operational prohle is the set of run 
types that the program can execute along with the probabilities they will occur. One can easily envision its 
extension to smaller program units. 


2.7.2 Extended operational profile 

We shall extend run types into steps, the elementary quantum of automata. This detaches the operational 
prohle concept from notions such as run types which are part of human understanding rather than algorithmic 
structure (however, the idea pops up elsewhere). Despite appearances, this extension is not so large - the only 
addition is a method for counting step events. 


2.7.3 Counting 

Let {s„} be a walk (inhnite sequence of steps) and let Z be an arbitrary reference set of steps (members of 
step space S = A x x F). Simply summarized, Nz{{sn\: k) denotes the number of occurTences of any 
member of Z before or at the A:* automaton step. 

Details follow for those interested. When the z* step of the walk is a member of Z (Si € Z), then {s„} is 
said to arrive at z. 

Definition 2.7.1. An arrival function is a sequence ip: {1, 2, • • ■ } {ni,n 2 , • • • } mapping each arrival, as 

identihed by its ordinal occurrence number z, into its frame sequence number rii. 

The arrival function assumes the natural order, that is, i < j implies Ui < nj. 
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A related function counts how many arrivals occur within a given interval; 

Definition 2.7.2. Suppose {s„} is a walk and Z is a set of steps. Let ip be an arrival function. The counting 
function Nz ■ x —)• induced by ip is 

Nz{.{sn],k)= max 


and for completeness set max(0) = 0. 


2.7.4 Normal operations 

The idea behind “normal operations” is a long program run following a software usage pattern. Interaction 
with the environment affects software behavior, which is ultimately transmitted through response to changing 
volatile variables. Normal operations calls for a run of figuratively unbounded duration during which soft¬ 
ware experiences the usage pattern’s variation of volatile stimulus, in response to which possibly unbalanced 
service is demanded from its inventory of functions. 

Systems engineering often augments what is here the automaton’s step poset with a transition network of 
modes. These modes symbolically encapsulate enabled or disabled capabilities. However, even though this 
augmentation facilitates visualization of behaviors, it fails to be mathematically dehnitiv^l 


Orbit 

We have not defined normal operations, but every example would certainly constitute a walk (sequence of 
steps). A special walk illustrating normal operations (as described above) will be termed here an orbit. 
Without formal dehnition, use of this term sacrifices rigor. 

Remark. The actuated automaton governs pure step transition logic, but an orbit also reflects a usage pattern. 


Limit conjecture 

Orbits may differ in specific sequence and content, but they have the same limit ratios. We consider a case 
drawn with the counting procedure of 112.7.31 

Conjecture 2.7.3. For different orbits o = {sn} ond o' = {s^} having the same usage pattern, 

ii„ = ii„ 

k^ca Nz{{Sn}ff) k^ca N z{{Sn} ff) 

for sets of steps 0 ^ (7 C Z C S. 


2.7.5 Types of operational profile 

A relative operational profile is the conditional probability that a step in an actuated automaton’s orbit coin¬ 
cides with a particular member of the reference set, given that it agrees with the reference set. We consider 
one other; an absolute operational prohle is the time rate at which a particular step of an orbit coincides with 
any member of the reference set. 

^The author is unaware of a proper definition. 
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2.7.6 Relative operational profile 


Let 0 = {s„} be an orbit. Suppose z € Z C § is a step of the reference set. Software encounters 
iV{ 2 }({s„}, fc) instances of steps satisfying {s^K*) = Si = z during the hrst k automaton steps. In the 
same execution there are Nz{{sn},k) instances of Si G Z. In the frequentist ifTOl school of interpreting 
probability, 


F(z I Z) 


-^{z} ({sn}, fc) 
fc^oo JVz({Sn}, 


represents the conditional probability of occurrence of z, given that Z occurs. By Conjecture 12.7.31 every 
orbit (of the same usage pattern) yields the same relative operational prohle. 


A relative operational prohle is an arbitrary set Z of steps, along with each step’s conditional probability of 
execution. In other words, a relative operational prohle is a mapping O: Z ^ [0,1] having total measure 1. 


2.7.7 Absolute operational profile 


Let o = {sn} be an orbit. An absolute operational prohle is the probability P{Z) with which an orbit 
(of some usage pattern) coincides with any step of the reference set Z. As before, this probability is the 
limiting ratio of two counting functions. Its numerator contains Nz{{sn}, k), the same count as appears in 
the denominator of the relative operational prohle. In its denominator is the counting function of all possible 
steps, namely A§({s„}, k), where § is the space of all steps. Thus the ratio of counting functions of reference 
set Z to the entire space § is ’fc) = and the absolute operational prohle (of collection Z) 


IS 


P{Z) 


lim 

k—¥oo 


Nz{{sn},k) 

k 


2.7.8 Conversion into a rate 

Section [T.4.2l mentions the synchronization function, a cross-reference between discrete and real time. During 
each step, an amount of real time appropriate for a software system emulating the automaton’s step is added 
to the time consumption budget. Let Z be the usual arbitrary reference collection of steps and o = {s„} be 
an orbit. These two provide a set of events and a sequence of steps in which to count the events’ arrivals. The 
synchronization records discrete pairs (i, L), where i is the index of the automaton step and tk is the total 
elapsed time after k steps. Call this mapping the synchronization function, having the formalism sync: x 

N ^ R'*', along with assumed starting point sync({s„}, 0) = 0. 

Let the sequence index of each step be the discrete analog of time. Of course, this has the effect that dis¬ 
crete software time will not hold proportional to hardware real time. The approximate real time required by 
execution of step s = (A,/,f) is r(/) - that is, elapsed real time is taken as a function of the executing 
functionality. 

Definition 2.7.4. For orbit o = {s„}, approximate time elapsed during the first k steps accumulates to 

k k 

sync({s„}, k)=Y^ t(/,)) = ^ T{l3^{si)) = tk- 
2—1 2—1 

A theorem to avoid creating dependency on specihc orbits is in order. Inability to define normal operations 
leads instead to conjecture, expressing such need; 
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Conjecture 2.7.5. For different orbits o = {5„} and o' = {s^} having the same usage pattern, 


Nzi{Sn},k) 
fe-i-oo sync({ 5 „}, k) 

for a reference set of steps 0 Z QS. 


lim 


Nz{{s^},k) 

sync({<},fc)) 


The synchronization function allows expression of the absolute operational profile as an intensity (rate or 
quasi-frequency). 

Definition 2.7.6. The counting norm is written using the double bar notation H-H: 


ll^ll 


lim 


Nz{{Sn},k) 

sync({s„},A:)' 


The absolute operational profile is properly a subadditive seminorm on sets of steps. As the limiting ratio of 
two counts in the natural numbers, the norm is positive. The norm is a seminorm because for some nonempty 
set Z it may be true that \\Z\\ = 0 (if the usage pattern does not activate any member of the reference set). 
This norm is subadditive because for any other set S, iVzuS'({5n}, k) < Nz{{sn}, k) + Ns{{sn}, k). It 
follows that \\Z U S\\ < \\Z\\ -\- IIS'!!. 
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Chapter 3 


Application 


The safety demonstration furnishes data for the indemnification statistic, which originates in the compound 
Poisson random process. 


3.1 Reliability demonstration 


A reliability demonstration is a structured random experiment carrying controlled statistical uncertainty and 
providing “hard” evidence against potential liability. 


3.1.1 Safety demonstration 

In software safety analysis, a hazard is a region of code bearing potential harmful side effects if incorrectly 
implemented. A safety demonstration is a special type of reliability demonstration posed to exercise a hazard. 
Here the region is presumed to be an acyclic cone, with the hazard located at its crux. The crux is a point of 
software/hardware transduction, illustrating the principle of emergenc^H (see ill.4.3b . 

To oversimplify, a safety demonstration is a random sample from such a region (acyclic cone). The complete 
story is not so simple, because the cone is not a probabilistic structure; it possesses no probability to support 
randomness. 

As a probabilistic structure, the operational profile ( il2.7.61 l permits random sampling from its reference set, 
regardless of its higher level meaning. As the edge of a cone is a set, it can become a relative operational 
profile’s reference set. Thus we tie an operational profile to a cone’s edge. Let O'. edgeC —)• [0,1] be a 
relative operational profile on the edge of cone C. At this stage we have the ability to draw a random sample 
from edgeC. 

Theorem 12.6.1 II asserts that an acyclic cone C and edge C are in one-to-one correspondence via the edge 
step relation of a localized predecessor walk. Equivalent to the one-to-one correspondence is the bijection 
b = {(edgewjw): w G C}. For e G edgeC, b(e) is the bijectively corresponding localized predecessor 
walk. 

We now bijectively associate the random edge event e = b“^('u;) with the localized predecessor walk w: 
O' = {(0(b“^('u;)), w): w G C}. With probability inherited from an operational profile, we can speak 

* software causes no harm until erroneous values transduce the boundary between software and hardware. 
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validly of a random sample from a cone. 


3.1.2 Tests 

The last piece of the safety demonstration story is converting local predecessor walks into tests. Localized 
predecessor walks are finite walks existing in confusion-prone backwards time. One may skip this section 
unless he wishes the detail of converting backward to forward walks. 

The test function reverses and re-indexes localized predecessor walks into conventional sequences. 

Definition 3.1.1. Let w be a localized predecessor walk of n = | w| steps, indexed from 0 down to — (n — 1). 
Define the test function t(w) = w according to formula Wi = Wi-n for i = 1,2, ■ ■ ■ ,n. 

Assuming that a localized predecessor walk is indexed from 0 down to —(n — 1), its corresponding test will 
be indexed from 1 to n. In sense of direction, the localized predecessor walk traverses steps from Scmx to 
Sedge, while the corresponding test traverses steps from Sedge to Scmx- 

Theorem 3.1.2. Suppose C is an acyclic cone and W C C is a (unique) set of localized predecessor walks. 
If W = t(W) is its converted set of reversed and re-indexed tests, then W and W are in one-to-one corre¬ 
spondence. 

Proof. By virtue of construction, t is already a mapping. Remaining to show is that t is additionally a 
bijection. Let u and v be localized predecessor walks and a; be a finite walk. As hypothesis set x = t(M) = 
t(r'). These sequences cannot be equal unless they possess the same number of terms, n = |3;| = |t(M)| = 
|t(w)|. Since transformation t preserves the number of steps (from Definition 13.1.11 |w| = |t(w)|), then 
n =\x\ = |m| = Irij. 

Again invoking Definition 13. 1.1 1 on the first part of the hypothesis, we write Xi = The second part 

similarly yields Xi = Vi_„. By equating the two parts, we now have Ui_n = Vi-n for each i. In other words, 
the two localized predecessor walks are actually the same walk: u = v. Thus t is a bijection. □ 


Volatile variables preservation 

The danger in reversed thinking about tests is inadvertently conceptualizing volatile variables as free. This is 
untrue, as the volatile variables at any stage of a predecessor chain are fixed, and the “next” stage considers 
the set of what previous conditions may have led to the current stage. Thus, predecessor walks are chains of a 
poset of steps, which include the settings of volatile variables. One must be mindful to reproduce all volatile 
stimuli of the localized predecessor walk in its analogous test. 


3.1.3 Outcome 

The outcome of a test, pass or fail, will be regarded as a Bernoulli random event, Pp = p"(l — for 

n — 1 (pass) or n = 0 (fail). These probabilities are statistically independent of the bias involved with 
drawing the sample from the operational profile. This bias affects the origin of discovered failures, but not 
how many failures are found. In other words, the total statistical power of the sampling plan is not affected 
by sampling bias. 

Sums of independent Bernoulli random variables are binomial. That is, the probability of finding n failures 
collectively among N sample items is binomial, (^)/o"(l — 
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3.1.4 Physics 


In the real world, tests pass or fail depending on whether the information transduced at step Scmx meets all 
safety constraints. Such engineering requirements are varied, ultimately involving position, timing, voltage, 
insulation, dimensional tolerance, toxicity, temperature, mechanical shielding, luminosity, and hydrostatic 
pressure - just to name a few areas. Review of a test offers a last chance to discover a missed constraint 
(requirement). Another possibility is that the chain of precursor events should actually lead to a different 
conclusion. 

Transduced values potentially control the status of any safety concern. Tests simply pass or fail, but evaluation 
of why a test passes or fails can become nontrivial, requiring collaboration between mechanical, software, 
and system safety engineers. 


3.1.5 Statistics 

Some statistical error originates in inference from random sample to “unknown” population (parametric fam¬ 
ily of probability distributions on a measurable space). Just one distribution is true, while the others are false. 
An assertion separating the parameterization into two decision units is called a hypothesis. One decision unit 
is traditionally designated null, while the other is called alternate. The true distribution belongs either to the 
null or alternative decision units. 

Each sample item either passes or fails its associated test (see 113.1.41 i. Within the entire cone C, suppose the 
proportion of tests that fail is p. This proportion is subsequently realized approximately through a random 
sample. Regardless of the sample size, since the application is to safety, the only cases of interest will be 
when the number of failures is zero. Other cases, implying need for reliability growth, are treated in the 
literature, particularly lO. 

We now examine the case dehned by drawing a random sample of size N from edge C and allowing n = 0 
failures in the associated tests from cone C. The null decision unit contains the probability distribution 
Po(pass) = 1 and Po(fail) = 0. The alternate decision unit is the set of probability distributions Pp having 
0 < p < 1. Hypothesis evaluation entails two types of error, known as a and /3 error. 


False rejection (a error) 

The first is false rejection of the null decision unit, with associated measurement error a. The sampling plan 
can reject only if hnds an error, so this sampling plan is incapable of false rejection. Thus a = 0. 


False acceptance (/3 error) 

The second is false acceptance of the null decision unit, with associated measurement error /3. We experience 
false acceptance when 0 < p but the sample contains no failures. 

Under the binomial model, the probability of observing a random sample of size N with n failures collec¬ 
tively is ('^)p"'(l — p)^”". Proceeding to our case of interest, n = 0, we have (^)p"(l — p)^~” L-o“ 
(1 — p)^. This expression is the probability that random samples of size N from a source of characteristic 
failure proportion p will be accepted. 
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Power function 


It is confusing to reason in terms of contravarianQ attributes. In our case we formulate probability of rejection 
as an increasing function of p, a measure of the population’s undesirability. The probability that random 
samples will be properly rejected is the previous expression’s complement; 

KN,o{p) = l-[l-pf = l-P. 


This non-contravariant result is known as the power function of sample size N, tolerating zero (0) failures. 
The graph of the power function always increases, starting at 0 for p — 0 and ending at 1 for p = 1. Just 
how fast this function increases in its midrange is determined by the sample size N. With sample size one 
(iV = l), iTi,o(p)=p. 


N 

JTiv,o(.001) 

iTiv.o(.Ol) 

Kn,o{-05) 

iTiv,o(.10) 

Kn,o{-50) 

iTiv,o(.90) 

1 

.0010 

.0100 

.0500 

.1000 

.5000 

.9000 

5 

.0050 

.0490 

.2262 

.4095 

.9688 

1.0000 

10 

.0100 

.0956 

.4013 

.6513 

.9990 

1.0000 

15 

.0149 

.1399 

.5367 

.7941 

1.0000 

1.0000 

20 

.0198 

.1821 

.6415 

.8784 

1.0000 

1.0000 

30 

.0296 

.2603 

.7854 

.9576 

1.0000 

1.0000 

50 

.0488 

.3950 

.9231 

.9948 

1.0000 

1.0000 

100 

.0952 

.6340 

.9941 

1.0000 

1.0000 

1.0000 

200 

.1814 

.8660 

1.0000 

1.0000 

1.0000 

1.0000 

500 

.3936 

.9934 

1.0000 

1.0000 

1.0000 

1.0000 

1000 

.6323 

1.0000 

1.0000 

1.0000 

1.0000 

1.0000 

2000 

.8648 

1.0000 

1.0000 

1.0000 

1.0000 

1.0000 

5000 

.9933 

1.0000 

1.0000 

1.0000 

1.0000 

1.0000 

10000 

1.0000 

1.0000 

1.0000 

1.0000 

1.0000 

1.0000 


Table 3.1; Family of power functions (probability of rejection) 


Within this family ^ = (1 — p)^ = l — Kn,o{p)- 

One is initially dismayed by this sketch of the family of power functions; it suggests that high degrees of 
assurance are unobtainable through random sampling using practical sample sizes. However, reasonable 
performance useful for coarser screening is very possible. Detecting a defective population of 10 percent 
with a probability of approximately 90% requires only 20 sample items. 


3.1.6 Sampling philosophy 

Our safety demonstration sampling technique contrasts two assurance philosophies - software reliability 
versus software correctness. The software reliability perspective involves a separate operational prohle on 
edgeC, whereas software correctness examines only the structure within cone C. The operational profile 
asserts the importance of relative excitational intensity to safety analysis. An accident that occurs more 
frequently is worse than an accident that happens less frequently, given that they are of comparable severity. 
This safety factor is ignored under software correctness alone. 

^One increasing, the other decreasing 
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3.2 Modeling accidents 


Accidents are diverse in effect and mechanism, including injury, death, or damage either to equipment or 
environment. Since the causality of accidents is temporarily unknown, they manifest an apparent nature 
of unpredictability or randomness. However, under emulation as a stochastic process, the exact timing of 
accidents is truly a random phenomenon rather than causal. Nevertheless, it has proven useful to compare 
well-understood summary statistics of stochastic processes with those of deterministic but unknown physical 
processes. 


3.2.1 Compound Poisson process 

Today’s prevalent safety model for the occurrence of accidents is the compound Poissor0 process. This 
model captures accidents’ two dominant attributes; rate of occurrence (intensity) and scalar measure of loss 
(severity). With some exceptions, neither the timing nor severity of one software accident affects another. 
The compound Poisson process (CPP) is appropriate to model accidents of this nature. 

As stochastic processes are models rather than mechanisms, deriving their properties involves somewhat 
out-of-scope mathematics. The interested reader can immediately find greater detail in Wikipedia® online 
articles: im, mi, mi, m, and mi. Relevant theorems will be documented here simply as facts. 


3.2.2 Poisson processes 

We will consider three variants of basic stochastic process; the ordinary Poisson process, the compound 
Poisson process, and the intermittent compound Poisson process. 


Ordinary Poisson process 

(Ordinary) Poisson processes are characterized simply by their rate or intensity: 


• its fundamental rate A, which is the expected number of arrivals per unit time. 

Fact 3.2.1. Let A be the rate of a Poisson process. The probability of experiencing k arrivals in a time 
interval t units long is 


Px{k) = e-^‘ 


(M! 

k\ 


Compound Poisson process 

A compound Poisson process is characterized by two rates: 

• its fundamental rate A as before, and 

• its rate of loss L, which is a random variable invoked once for each arrival. 
^After Simeon Denis Poisson, mathematician and physicist, 1781 - 1840 
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Fact 3.2.2. Let A be the rate and L be the loss random variable of a compound Poisson process. The 
expectation of the compound process for a time interval t units long is 

^{compoundPoisson) = Xt ■ E(L) 

= Xt ■ PL- 


Definition 3.2.3. The statistical risk, written h, of a compound Poisson process is the time derivative of its 
expectation in a duration of length f; that is 

h = E(compound Poisson) = ^(Xt ■ pl) = 

dt dt 

which is the product of its rate A and its expected loss pL- 


Intermittent compound Poisson process 

A variation of the CPP is the intermittent compound Poisson process, which is intermittently on or off with 
expected durations E(on) = /Xon and E(off) = pon- An intermittent compound Poisson process (ICPP) is 
characterized by three rates: 

• its fundamental rate A as before, and 

• its rate of loss L, also as before, 

• alternating durations of random lengths Ton and Toff. 

Random variables Ton and Toff converge to pon and p-off in the limit. The idle ratio of a intermittent compound 
Poisson process is t —. 

A Mon+Moff 

Fact 3.2.4. Let X be the rate, L be the loss random variable, and i be the idle ratio of an intermittent 
compound Poisson process. The expectation of the ICPP for a time interval t units long is 

^.{intermittent compound Poisson) = (1 — i) • Af • E(L) 

= (1 - i) • Af • PL. 


The statistical risk of an ICPP is 

^ E (intermittent compound Poisson) 

^((1 - t) ■ Af ■ PL + t ■ Of • 0) 

(1 - 6)ApL. 

3.3 Indemnification 



Hypothesize that a software hazard is emulated by a compound Poisson process (CPP) having intensity A and 
expected loss pL. Suppose further that the actual control mechanism is a cone convergent to the software 
point of exhibition of the hazard. We wish to consider statistical evidence that the hazard’s hypothetical 
description via the stochastic process is consistent with its mechanism as revealed by safety demonstration. 
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3.3.1 Unification 


Before undertaking the question of whether test data supports a hypothetical stochastic process, we must 
establish the theoretical conditions under which equality is expected. 


Fundaments of the model 

The compound Poisson process is a model stochastic process for occurrence of accidents. This model is 
used in safety analysis to quantify the occurrence and losses of accidents without considering their causes. 
MlL-STD-882 (see AnnendixO is an important example. In a time interval of duration t, accidents converge 
stochastically in rate to expectation Xt and in mean loss to /r^. This means an intensity of A accidents per 
time unit. 


Fundaments of the mechanism 

The actuated automaton is a mechanism representing software. When extended by the principle of emer¬ 
gence ( ^1.4.31) and the constructs of the operational prohles ( ^2.71 1 and cones ( il2.6b . it becomes capable of 
representingprecursor conditions for software accidents. Let ||edgeC|| (see i)2.7.8l l be the rate-based absolute 
operational prohle of the edge of an acyclic cone C. Since a member of edgeC is executed at the average 
intensity of ||edgeC||, then so is the cone’s step of convergence Scrux- Let p be the proportion of failing tests 
(localized predecessor walks). Under that supposition, failures occur at the intensity of p ■ ||edgeC||. The 
dehnition of ||edgeC||, through the internal function sync(-), allows for the passage of time in the proper 
duration. 


Uniting mechanism and model 

We presume that one failing test equals one accident. The cone’s step of convergence is considered to be the 
point of exhibition of a hazard whenever safety constraints are not met. This mechanism may be separately 
equated to the intensity (not the rate of loss) of the compound Poisson process: 

\ = p- ||edgeC||. 

This equation places a property of the model on the left and properties of the mechanism on the right. 
Remark. The execution rate of the edge of an acyclic cone numerically equals the execution rate of the 
(set containing the) cone’s crux. The cone’s dehnitional status (as a complete independent set of localized 
predecessor walks ending at Scmx) causes this. Symbolically, 

||edgeC|| = ||{scmx}||- 


3.3.2 Evidence 

We propose that the same data used earlier for indemnihcation testing be re-used in a slightly different sta¬ 
tistical context. Recall that an indemnihcation test has N items among which are zero failures, where each 
item is a localized predecessor walk, and a cone is a structured collection of localized predecessor walks of 
an automaton. 

We wish to measure the amount of information in an indemnihcation sample to explain the phenomenon that 
larger samples justify more precise estimates than smaller samples. We refer to this information as measuring 


30 






the weight of evidence. This situation differs from the familiar problem of finding the maximum likelihood 
estimator. 


Method of indifference 

The power function of sample size N, tolerating zero (0) failures, is KNfi{p) = 1 — (1 — p)^ (see 113.1.51) . 
It measures the probability of rejection as a function of p. 

Each power function Kf^ Q{p) = 1 — (1— p)^is characterized by its indifference proportion, which is 
defined as the proportion at which rejection and acceptance become equally likely (that is, K^ftipi) = '^li — 
1 — Km,o{pi)). With only modest algebra, the analytic expression for the indifference proportion may be 
derived from the power function K^pip)', it is 

PI = 1 - 


Below is a numerical tabulation of the previous formula: 


N 

P indifference 

1 

.50000 

5 

.12945 

10 

.06697 

15 

.04516 

20 

.03406 

30 

.02284 

50 

.01377 

100 

.00691 

200 

.00346 

500 

.00139 

1000 

.00069 

2000 

.00035 

5000 

.00014 

10000 

.00007 


Table 3.2: Indifference proportion 


Indemniflcation formula 

The indemnification formula provides a statistical upper bound on hazard intensity. Indemnification data may 
be expressed as an equivalent statistical upper bound on hazard intensity. This differs fundamentally from 
estimating the intensity of a hazard. By a statistically “guaranteed” hazard intensity, we mean an upper bound 
such that the true hazard intensity is likely to fall beneath this level with known confidence (probability). 

Suppose we choose ^2 as the known confidence. The indifference proportion pi = 1 — then has a 

second interpretation as an upper bound with confidence ^ 2 - For any p < pi, it is true that power function 
Pn,o{p) < y2, so Pi is an upper bound of confidence y2. 

To convert from the size of the indemnification sample into its equivalent upper bound hazard intensity, find 
the indifference proportion p i = 1 — \f%. 
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Check the sample physics. This amounts to analysis of the originating cone C, which is the point of exhibition 
of a hazard whenever safety constraints are not met. The cone’s edge has an absolute operational profile 
expressed as a rate. This quantity is the counting norm of the cone’s edge. 

We have shown that the probable upper bound of the hazard intensity is proportional to the indifference 
proportion, with constant of proportionality furnished by the counting norm of the cone’s edge. The indem¬ 
nification formula is: 

Ai = Pi • ||edgeC|| = pi • ||{scrux}||- 
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Chapter 4 


Epilogue 


From previous discussion two structures of system safety emerge; the safety demonstration and indemnifica¬ 
tion, its measure of assurance. Opinion follows. 


4.1 Programmatic fit 


Safety demonstration and indemnification merge smoothly into today’s programmatic picture. Early in the 
development cycle, safety engineers provide “ballpark” quantihcations of the threat of hazards 121, expressed 
as intensity and severity. These numbers are often educated guesses: a mixture of circumstance, intuition, 
similar design, and history. At that stage, the process is without supporting evidence. Later in the development 
cycle, assuming a program of structured testing has been followed, statistical evidence is available in the form 
of a safety demonstration. These data are expressed as a statistical upper bound on each software hazard’s 
intensity - that is, an indemnihcation - and used as evidence of correct operation. This additional step frees 
the safety engineer from having to re-asses his original estimate using the same shallow method as the original 
guesstimate. 

Increasingly, automatic static syntax analyzers satisfy need for overall code robustness. However, exclusive 
reliance on these analyzers would result in a software safety engineering shortcoming, because they do not 
always detect code defects that have valid syntax (that is, syntactically valid but wrong algorithm). 


4.2 Commercialization 


Difficult work remains before safety demonstration and indemnihcation can be supported as mature commer¬ 
cial technology. The role of the actuated automaton must be replaced by a real-world programming language. 
Present theory restricting tests (predecessor walks) to acyclic cones may require generalization to cyclic cones 
to achieve broader range. Safety demonstration demands the ability to produce approximate operational pro- 
hles from which can be drawn pseudo-random samples. Spin-offs from similar technologies may be possible; 
static analyzers are one example. 
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4.3 Criticism of MIL-STD-882 


Statistical risk is a model (see ill. 4. 21 ) emulating the threat of accidents. Users of MIL-STD-882 are familiar 
with statistical risk as an accident model for hardware. Software is properly deterministic and therefore non¬ 
stochastic, but it’s successfully approximated with the same Poisson stochastic process as hardware. The 
rationale for this approximation is to apply a useful Poisson mathematical assurance property; thus assurance 
depends on the validity of the Poisson process as an approximation to the actuated automaton. 

The Standard introduces a risk-like scale replacing statistical risk for software. For purpose of this chapter, 
we call this replacement scale the design risk. The discussion of chapters 2 and 3 conclude that, from the 
standpoint of statistical assurance, there is no justification for the presently differing versions of the term risk 
between hardware and software. 

The state of software engineering is mixed science and sophisticated art. In the current Standard, art has 
somewhat overtaken science; for software, the concept of statistical risk has been abandoned. One subse¬ 
quently loses the ability to measure and assure risk uniformly. 

Design risk and statistical risk do share a severity axis, but the similarity ends there. Statistical risk has another 
axis composed of a numerical product, the frequency of execution times the probability of error. What we 
have called design risk also possesses another axis, but it is a categorical scale arranged in decreasing order 
of the design safety importance of the software’s functionality. 

This results in an error of omission in MIL-STD-882 with serious consequence. Because the frequency of 
execution of a software point is not well-correlated with its functionality’s design safety importance, statistical 
risk does not correlate well with design risk. Because the Standard assigns statistical risk to hardware and 
design risk to software, and due to lack of correlation between the two, there is no way to rank the relative 
importance of hazards of mixed type. Loss of the ability to compare risks of all hazards is a flagrant omission. 
Under correct physics, risks of multiple hazards are additive. This is not the case under MIL-STD-882. 

The formal sense of assurance is lost by these definitional variants. Being quantitatively assured requires 
a limit value on proportion or mean deviation and a statement of statistical confidence for this limit; the 
Standard clearly lacks this characteristic. Properly assurance is a numeric quantity associated with statistical 
control of risk, not an engineering activity to further psychological confidence. Despite that its developers 
may express great confidence in the methodology, software built under the Standard is not quantitatively 
assured. 


4.4 Repair of MIL-STD-882 


Rehabilitation of MIL-STD-882 is straightforward. It must be amended to contain an engineering introduc¬ 
tion to statistical risk for software, including allied procedures. This subject matter is covered here in math¬ 
ematical language, but should be presented differently for engineers’ consumption. The revised Standard 
should distinguish between formal assurance and design confidence, and classify what procedures support 
either. Generally, the concerns associated with design risk align with developmental software engineering, 
while those of statistical risk align with responsibilities of system safety engineering, part of systems engi¬ 
neering. Software and Systems Engineering should not duplicate each other’s efforts. 
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Appendix A 


Groundwork 


This appendix examines ensembles, a fundamental structure in the theory of systems which formalizes the 
notion of stimulus and response. From this start, discussion proceeds into the Cartesian product, choice spaces 
and subspaces, and partitions of choice spaces into persistent and volatile components. Dyadic notation is 
introduced. 


A.l Ensemble 


An ensemble is a special form of a more general structure known as a family. We employ nomenclature 
abridged from Halmos 13] p. 34] as follows; 

Terminology. Let I and X be non-empty sets, and if. I A be a mapping. Each element i e / is an index, 
while I itself is an index set. The mapping ip is family, its co-domain X is an indexed set. An ordered pair 
(j, x) belonging to the family is a term, whose value x = ip{i) € A is often denoted f. 

Notation. The family ip itself is routinely but abusively denoted {ipn}- This notation is a compound idiomQ 
Especially in the case of sequences over a set G, the symbol {pn} signifies the mapping {1 i—pi, 2 i— 
92 , ■■■ }■ 

Definition A.1.1. An ensemble is a non-empty family. 

Definition A.1.2. Let T* be an ensemble, with ran4' its range. If |ran'I'| = 1, the ensemble is constant, 
otherwise it is variable. 

Remark. Since physical systems possess only a finite number of attributes, the scope of practical interest is 
limited to ensembles having finite-dimensional index sets. 

Remark. A constant ensemble (definition |AT2 |i is also referenced under the historically colorful name Hob¬ 
son choice. Using the word choice in its everyday sense, a Hobson’s choice is oxymoronic; a free choice 
in which only one option is offered, with gist “Only one choice is no choice.” 

Notation. Let 4^ be an ensemble. Eor term [i, P) e 4^, we denote P = 

* Its symbol is a composite of other notational devices that have no separate meaning. 

^Hobson was proprietor of a livery. He was noted for offering his customers their choice of any horse, as long as that horse was in 
the first unoccupied stall. 
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A.2 Ensemble arithmetic 


Definition A.2.1. Ensembles 'I' and $ are disjoint if dom n dom $ = 0 (that is, if their index sets have 
no member in common). 

Definition A.2.2. Ensembles 'I' and $ are complementary with respect to a third ensemble T if they are 
disjoint and U $ = T. 

Notation. Regarding ensembles and $, we write $ C vp to express that $ is contained in 'h, following 
ordinary set theory that term (i, P) G $ implies (i, P) G di'. 

Definition A.2.3. Let and $ be ensembles such that $ C 'h. In classification of difference between and 
$, di' is the minuend, $ is the subtrahend, and the set differenc^l dr \ $ is the remainder. 

Lemma A.2.4. Let dr and d? be ensembles such that d? C dr. The subtrahend d) and remainder dr \ d? are 
disjoint and complementary with respect to dr. 

Proof. Since d) C dr, definition | a 23] applies. The minuend is dr, the subtrahend is d>, and the remainder is 
d' \ d>. 

Dehnition IA.2.1l asserts that two ensembles 0 and T are disjoint if dom© n domT = 0. As hypothesis 
presume the lemma’s antithesis, namely that the subtrahend dr and the remainder dr \ d> are not disjoint. This 
implies that there exists some i such that i G dom dr n dom (dr \ dr). Eor this i to exist in the intersection of 
the domains of two mappings, there must be both a term {i, P) G dr and a term {i, Q) G (dr \ dr). 

Because (t,P) G dr and the lemma’s premise states that d* C dr, then (z,P) G dr. Since term (d Q) G (dr\dr), 
then {i,Q) G dr and {i,Q) ^ dr. Since dr is a mapping, then {i,P) G dr and {i,Q) G dr together imply 
P = Q. With P — Q and {i, Q) ^ dr, then also (z, P) ^ dr. 

However, the immediately preceding conclusion that (z, P) ^ d* contradicts the earlier inference that term 
(z, P) G dr must exist if z is a member of the intersection of the domains. Since the presumption that the 
subtrahend and remainder are not disjoint arrives at a contradiction, then subtrahend d* and remainder dr \ d? 
are indeed disjoint. 

The ensembles are complementary with respect to dr by definition lA.2.2l because they are disjoint and 

d> u (d-\ d>) = d-. □ 


A.3 Choice space 

Informally, a choice space is the totality of all possible combinations of variables’ values within a given 
ensemble. The general Cartesian product formalizes this notion. 


A.3.1 General Cartesian product 

Definition A.3.1. Let dr be an ensemble. By definition I A. 1.1 1 each member of rand' is itself a non-empty 
set. The proto-set drt^p is the union of all such sets; 


U R. 

R£ ran ^ 


^The set difference A \ B is not conventionally restricted to B C A, as is stipulated here. 
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Remark. Definition IA.3.11 expresses a relation between the ensemble 'h’s indexed sets and the proto-set, 
namely that for each i S dom'h, 'l'(f) C vhtj. An alternative portrayal uses the power set, claiming 'h(i) € 

Definition A.3.2. Let 'h be an ensemble with proto-set The proto-space of T* is the set ^'( 5 '^°™ where 

^^dom 'I' jjjappjjjgs dom T' —J- T'(^. 

Definition A.3.3. Let T' be an ensemble with proto-set Let dom'h — 5 > T'tj be a mapping. If x 
satisfies x(*) G '!'(*) for each i G dom 'h, then x is a choice mapping of 'h. 

Definition A.3.4. The set of all choice mappings of ensemble T' is the choice space (or general Cartesian 
product) T'. 

Terminology. Through the general Cartesian product, an ensemble generates a choice space. For brevity we 
refer to a point in a choice space (that is, a choice mapping) simply as a choice. 

Theorem A.3.5. The proto-space of ensemble T* includes its choice space T' (that is, 0 C 

Proof. Suppose X G 0 dehnition lA.3.31 x is a mapping domT' -G T'c;;. Then, by dehnition lA.3.21 

X G Thus, any member of n T' is also a member of From this we conclude C 

Theorem A.3.6. An ensemble generates one unique choice space: let 0 and be two ensembles generating 
choice spaces 0 and $ respectively. IfQ = ^, then 0 ® “ 0 'f*- 

Proof. To show the contrapositive, suppose 0 f 0 ‘f’- This premise can be true if either A: there is a 
choice a C n ® such that a ^ f][ $, or if B: there is a choice /3 G T* such that j3 ^Y\Q. 

In case A, a is a choice of 0 - that is, for each k G dom 0, a(k) G 0(k). For hypothesis, assume 0 = T*, so 
that dom0 = dom0. Then for each k G dom0, a{k) G <!^(k), since by equality hypothesis 0(k) = <P(k) 
and a(k) G 0(k). This means a is a choice of <1>, that is, a G $. However, this conclusion contradicts 
the second part of the premises for case A, namely that a ^Y\^. Thus the hypothesis 0 = $ is false, so 
0f^. 

The argument for case B is the same as A, except reversing the roles of 0 and $. Together, cases A and 
B show that 0 ® 7 ^ 0 implies 0 7 ^ $. Applying the contrapositive principl^l gives n© - n^&if 

0 = $. □ 

Theorem A.3.7. Any choice space has one unique generating ensemble: let 0 and T* be two ensembles 
generating choice spaces 0 and <!> respectively. IfW 0 = ]^ $, then 0 = T*. 

Proof. To show the contrapositive, suppose 0 7 ^ $. From this premise there must exist either A: (f, P) G 0 
such that (f, P) f. $, or B: (j, Q) G $ such that (j, Q) f. 0. 

The hrst case A decomposes into two sub-cases; either Al: f G S' and i G S', or A2: i G S and i fz S'. 

In sub-case Al, we must have 0(f) 7 ^ $(f) to support 0 7 ^$. For this there must be either Ala: there is 
u G 0(f) such that u ^ <i>(f), or Alb: there is u G <i>(f) such that v ^ 0(f). 

In sub-sub-case Ala, there must exist by dehnitions lA.3.4l and lA.3.3l a choice a G H that aii) = u. 

However, there can be no choice /3 G H that /3(f) = u, since u ^ $(f). Therefore a ^ with the 

consequence that n©^n^- 

"^one form of which is {—iB => -•A) *^4* (A ^ .B) 
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In sub-sub-case Alb there is u G $(i) such that v ^ 0(*)- Similarly to Ala, there exists /3 G $ such that 
P(i) = V, but no a G 0 such that a{i) = v, again concluding that 0 ® ^ 0 

In sub-case A2, we have i G dom0 and i ^ dom$. By dehnitions lA.3.4l and lA.3.3l for any x G 0(*), there 
exists choice G H 0 that ax{i) = x. However, there is no choice /3 G H ® that f3{i) = x 
because i ^ dom $ = dom /3. This concludes 00^0 $ for sub-case A2. 

The proofs for subordinate cases of B are the same as A, reversing the roles of 0 and $. Taken together, 
these sub-case analyses show that exhaustively 0 7 ^ $ implies 11 0 ^ 11 contraposition, 0 = $ if 

n0-n‘j’- □ 

Theorem A.3.8. Choice spaces and generating ensembles are in one-to-one correspondence via the general 
Cartesian product. 

Proof. Theorem lA. 3. 61 asserts that any ensemble generates only one unique choice space, and lA. 3. 7l asserts 
that any choice space has only one unique generating ensemble. □ 

Notation. By Theorem lA. 3. 81 the Cartesian product is invertible, providing a mapping from choice spaces to 
generating ensembles. There is need for a symbol designating this inverse. In preference to fl for present 
purpose we borrow the coproduct symbol ]J from another held, since there is no danger of confusion. 

Definition A.3.9. A finite choice space is a choice space (dehnition lA.3.4b whose generating ensemble has a 
hnite index set. 


A.3.2 Dyadic Operators 

Notation. This section presents binary operators on ensembles and choice spaces whose intended usage will 
value notational compactness. To this end these operators will be displayed through dyadic notation, which 
indicates an operator application implicitly by simple juxtaposition of the operator’s arguments, forgoing 
explicit rendering of the operation’s symbol as a prehx, inhx, or suffix. For reason of denotational style, these 
operators will be called products despite that they suggest sums. 

Definition A.3.10. Let 0 and 4> be disjoint (dehnition lA.2.1b ensembles. The dyadic product (0, $) 1 —0$ 
is 

0$ = 0U$. 


An immediate consequence of this dehnition is commutativity 0$ = 4)0, since 0 U $ = $ U 0. 

Theorem A.3.11. Let 0 and T* be disjoint ensembles. Their dyadic product T = 0$ is an ensemble with 
domain (dom 0 U dom T*) and range (ran 0 U ran T*). 

Proof. Suppose i G dom04). By dehnition I A. 3. 101 0$ = 0 U 4). From this it follows that i G dom0 U 
dom 4). Therefore, i G dom0, i G dom 4), or both. The stipulation that 0 and 4) be disjoint entails 
dom0 n dom 4) = 0 (dehnition IA.2. lb . That stipulation eliminates the possibility of both memberships, 
leaving two feasible cases: either A) i G dom 0 and i ^ dom 4), or B) j ^ dom 0 and i G dom 4>. 

In case A, there exists (i, 0^) G 0, so (i, 0^) G T = 0 U 4>. Furthermore, since i ^ dom4>, = 0^ is 
well-dehned. Since by dehnition lA. 1.1 l each member of ran 0 is a non-empty set, then equivocally Tj = 0^ 
is a non-empty set. 

Argumentation for case B, supporting that T, = 4>i is well-dehned and that is a non-empty set, is obtained 
by interchanging the roles of 0 and 4> in case A. 
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Over all possibilities, T = 0 U <i> is well-defined as a mapping (family) and each element of its range is a 
non-empty set. Therefore the dyadic product of two disjoint ensembles is itself an ensemble. 

The sub-case analysis establishes dom 0$ C (dom 0 U dom T*). For the converse, first assume i G dom 0. 
Then there is some P such that {i, P) G 0. From this it follows that {i, P) G 0 U $, so f G dom 0$ and 
dom 0 C dom 0$. Similarly, dom $ C dom 0$. From these two inclusions it follows that (dom 0 U 
dom $) C dom 0$. With the previous result that dom 0$ C (dom 0 U dom $), we conclude dom 0$ = 
(dom0 U dom$). 

The sub-case analysis shows also that for {i,P) G 0$, either P G ran0 or P G ran<i>. This implies that 
ran0<i> C ran0 U ran<i>. 

To demonstrate the converse, assume P G ran0. Then there exists {i, P) G 0, and by definition I A. 3. 101 
(j,P) G 0d). From this we conclude that ran0 C ran0$. With modest changes as above we conclude 
rand) C ran0<i). This establishes the converse ran0 U rand* C ran0d). 

Finally, with both ran 0d) C ran 0 U ran d) and its converse, ran 0d) = ran 0 U ran d). □ 

Definition A.3.12. Let 0 and d> be disjoint ensembles. The dyadic space product of n © ^nd ]([ d> is 

nenf-ne® 

(that is, with T = 0d), the set of all T-choices). 

Definition A.3.13. Let 0 and d> be disjoint ensembles generating choice spaces 0 and ]([ d). Suppose 
a G n Q ^nd /3 G n choices. Their dyadic choice product (a, (3) i—>• a/3 is 

a/3 = a U /3. 

Theorem A.3.14. Let 0 and d) be disjoint ensembles. The dyadic choice product is a bijection 

n^xii d) GG 0d>. 

Proof. Suppose (0, </>) G n ® ^ 11 whence it follows that choices 0 G n ® ^ 0 Consider the 

dyadic products 0^ = 0 U </) and 0d> = 0 U d>. Since dom 0 = dom 0 = T and dom </> = dom d? = P, then 
dornOf = T U P = dom0d>. Let i G domOf = T U P. Since 0 and d* are disjoint, then exactly one of 
two cases holds; either i gT and i ^ P,or i and i G P. 

In the first case, i G T, 9(j){i) = 0(f) and 0d>(f) = 0(f). Since 0 is a 0-choice, then 0(f) G 0(f). But since 
Ofli) = 0(f) and 0d>(f) = 0(f), then Of^i) G 0d)(f) for any i gT. 

The second case is similar and leads to 0(p{i) G 0d)(f) for any f G P. From these two cases we conclude that 
0</f(f) G 0d)(f) for any f G T U P = domOf, and that Of gY\ 0d>. 

The preceding establishes that the choice product is a relation between 0 ® x ]([ d> and ]([ 0d>. For this 
relation to be a mapping, it must yet be established that any member of the domain is related to exactly one 
member of the co-domain. 

Again with (0, ^) G n ® x ]([ d>, suppose a G n 0d) and /3 G ]([ 0d) are 0d>-choices such that (0, (f)) ^ a 
and (0, (p) I—>■ /3. The hypothesis a ^ /3 now leads to the contradiction 0 U ^ ^ 0 U </), so the hypothesis is 
false and a = (3. Therefore the dyadic choice product is a mapping. 

To be bijective, this mapping must be injective and surjective. 

To assess injection, let 0, 0' G 0 and p, f G Y\ $, and hypothesize Op = 9'p'. With 9p = 9'p', then 
the restrictions 9p \ dom0 = O'p' \ dom0. Bv lA.3.131 Op \ dom0 = 0 and O'p' \ dom0 = O'. This 
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establishes 6 * = 0' in 0. A similar approach, using restriction by dom d), establishes (/> = in d). Since 

the assumption Otj) = 9'cf)' implies 9 = 9' and (p = p', then the dyadic choice product is injective. 

To assess surjection, consider a general 7 S 0$. Dehne 0 = 7 | dom0. By dehnition IA.3.101 the 
non-empty sets 0(i) = 0$(i) for i G dom 0. Since 9(i) G 0$(j) by construction, and 0(*) = 0$(j), then 
9(z) G 0(i) for z G dom 0 - that is, 0 is a choice in 0. 

A similar tactic shows the existence of ^ G H Construct (p = ^ \ dom$. For each i G dom$, the non¬ 
empty sets $(z) = 0$(z) by dehnition IA.3.101 Since by construction p(i) G 0<l>(i), and $(z) = 0$(z), 
then p(i) G $(z) for i G dom $ - that is, ^ is a choice in $. 

It is thus established that for any 7 e n 0$, there exists 0 G 0 and G H that 7 = 9p. Therefore 

the dyadic choice product is surjective. 

Since the dyadic choice product is both injective and surjective, then it is a bijection 0 ® ^ 0 ^ ^ 0 

□ 


A.3.3 Choice subspaces 

Any mapping, including a choice mapping, may be restricted to subsets of its domain. 

Definition A.3.15. Let dr be an ensemble, and let R C dom dr be a subset of its index set. Suppose x G H ^ 
is a choice. A subchoice x | is the ordinary mapping restriction of x to its domain subset R. 

Remark. In the above, degenerate case R = 0 yields x I ^ = 0- 

Definition A.3.16. Let dr be an ensemble. For each R C dom dr, the subspace (n^i^) I R is the set of 
subchoices {xl-f^-XGll'^'}- 

Theorem A.3.17. Let ensemble dr generate choice space dr, and let R C dom be a subset of its index 
set. The restriction of the choice space equals the choice space of the restriction: 

Proof. Suppose ^ G I R. By dehnition IA.3.151 there exists X £ 0 ^tich that ^ = x I By 

dehnition of Cartesian product, for each i G dom dr, x(j) G dr(z). Since R C dom dr, then for each r G R, 
^(r) G dr(r). Consider dr | R, for which dom (dr|i?) = R. By dehnition of restriction, for r G i?, (dr | 
i?)(r) = dr(r). Since ^(r) G dr(r) and dr(r) = (dr|i?)(r), then for any r G R, ^(r) G (dr|i?)(r) - that is, ^ 
is a choice of dr | ii. From the preceding, ^ G iU'f) I i? implies ^ G n(«'|i?),or (0^') I R ^ 

Next suppose ^ G I R)- Then, by dehnitions IA.3.31 and IA.3.41 covering Cartesian products, for each 
r G i?, ^(r) G (dr I R) (r). The ensemble dr coincides with its restriction dr | i? on i?. A restatement of this is 
(dr I i?)(r) = dr(r) for r G R. Substituting dr(r) for (dr |i?)(r) yields ^(r) G dr(r) for each r G R. From this 
it follows that ^ G ( 0 dr) | i?, with the further implication that n(^ I ^ (O'P) 1 ^- 

We conclude equality iU'^) I ii = n('I' I establishing that each of these two sets is a subset of the 

other. □ 

Lemma A.3.18. Let dr and $ be ensembles. //O ^ ^ subspace ofW dr, then d) C dr. 

Proof. Let ])[ d> be a subspace of ])[ dr. By dehnition lA. 3. 161 there exists R C dom dr such that 0 ^ = 
(n'i^)i R. By Theorem lA.3.171 the restriction of the choice space equals the choice space of the restriction: 
iU^) I R = ])[(dr I R). Transitivity of equality implies ])[ $ = I R)- Then, by Theorem IA.3.71 
(invertibility of the Cartesian product), $ = dr | ii. 
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Suppose term {i,P) € Since $ = | i?, then {i,P) € 'h | i?. By the definition of restriction, this implies 

both (i, P) S 'h and i G R. Since (i, P) G $ implies (i, P) G we conclude $ C fi/. □ 

Lemma A.3.19. Let and $ be ensembles. and R = dom$, then $ = fitiP. 

Proof. Consider (i, P) G 'I' | P. It then follows from the definition of restriction that {i, P) G 'I' and i G R. 
But P = dom$, so i G dom<I>. This implies there exists (i, Q) G $. Since $ C then (i, Q) G 'I'. Since 
is a mapping, then (i, P) G 'I' and (i, Q) G 'I' implies P = Q. From P = Q and {i, Q) G $, we infer that 
(j, P) G d). Thus (i, P) G d'IP implies (i, P) G $, so T' |P C $. 

Next suppose (i, P) G $. From this it follows that i G R = dom$. From the premises {i, P) G $ and 
$ C d' we conclude (i, P) G 'I'. Together {i,P) G d' and i G R imply that (*, P) G 'F | P. Thus (*, P) G $ 
implies (i, P) G 'I'|P, so $ C vFlP. 

From T' I P C $ and $ C dr | P we infer $ = dr | P. □ 

Lemma A.3.20. Let dr and $ be ensembles. ^d> C dr, then w a subspace 

Proof. Set P = dom dr. Since d) C dr by hypothesis, then by applying lemma lA. 3. 191 we infer d> = dr | P. 
With this eaualitv and TheoremlA.3.71 linvertibilitv of the Cartesian nroductl. we have 
Theorem IA.3.171 asserts that the restriction of the choice space equals the choice space of the restriction: 
iU'f) I P = n('^^ I ^)' Transitivity of equality implies 0 ” (n'i')i P. This last equality is exactly the 

premise of definition lA.3.161 d> is a subspace of dr. □ 

Theorem A.3.21. Let dr and d? be ensembles. d> ii a subspace ofW dr if and only i/dr C dr. 

Proof. Lemma PV. 3. 181 asserts that if d* is a subspace of dr, then d) C dr. Lemma PV. 3 .201 asserts that if 
d? C dr, then dr is a subspace of dr. This pair of converse implications establishes the biconditional. □ 

Lemma A.3.22. IfT, dr, and dr are ensembles such that T = drdr, then dr C T and dr C T. 

Proof. Since T is the dyadic product of dr and dr, then by definition lA.3.101 dr and d? are disjoint ensembles 
and T = dr U dr. 

Suppose i G dom T = dom (dr U dr). Through definition lA.2.11 disjointness entails that dom dr n dom d? = 
0. Thus, if z G dom T, exactly one of two cases hold: either A: i G dom dr and i ^ dom d?, or B: z G dom d? 
and i ^ dom dr. 

Assume case A, that i G dom dr and i ^ dom d*. With T = dr U d*, it follows from the definition of set union 
that for any i G dom dr, (z, P) G dr implies (z, P) G T - that is, dr C T. 

For case B, similar argument leads to dr C T. □ 

Corollary A.3.23. IfT, dr, and d) are ensembles such that T = drd), then dr(z) = T{i) for i G dom dr, and 
®(j) = j G domd>. 

Proof. Under identical premises, lemma lA. 3. 221 provides dr C T and dr C T. Suppose z G dom dr. If 
(z,P) G dr, then (z,P) G T since dr C T. The notation dr(z) = T(z) (both equaling P) is equivalent. A 
similar argument demonstrates dr(j) = T(j) for j G dom dr. □ 

Theorem A.3.24. Let T, dr, and d* be ensembles such that T = drdr. For each zr G ])[ T, there exist unique 
z/> G n dr and ^ G ])[ dr such that v = 
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Proof. Suppose 'L’ G H Since any choice has the same domain as its generating ensemble, dom T = 
dom V. Theorem lA.3.1 ll states that dom T = dom 'P U dom $, from which transitivity of equality provides 
dom V = dom U dom $. 

From lemma IA. 3. 221 we conclude C T and $ C T. Since these relations hold for entire ensembles, then 
the same is true of the ensembles’ domains: dorndt C domT and dom$ C domT. By substitution, the 
previous result dom T = dom v then establishes that dom C dom v and dom $ C dom v. 

The inclusion dom dr C dom v ensures that the restriction ip = v\ dom dr is well-defined. Similarly f = v\ 
dom $ is also well-defined. 

We next focus on the restriction ip constructed above, seeking to demonstrate that it is also a member of the 
choice space Suppose term (i,p) G ip. Since ip = r;|domdr, then both {i,p) G v and i G dom dr. 

Since v G H"*' hypothesis, definition IA.3.31 demands that p G T(j) whenever (z,p) G v. Corollary 
IA.3.23l asserts dr(i) = T{i) for i G dom dr. Since p G T(i) and T(i) = dr(z) then p G dr(z). Thus for any 
{i,p) G Ip, it follows that p G dr(j). This means that ^ is a choice of dr by definition lA.3.31 - that is. ip G 
by definition ! A.3. 41 

Similar reasoning establishes that the other restriction ^ is a member of $. The unique -(/) G H 
^ G n ^ such that v = ip(p are expressed by the restrictions ip = v\ dom dr and cp = v\ dom $. □ 


A.4 Persistent-volatile partition 


Definition 12.1.1! asserts that basis (dr, d)) is comprised of two ensembles satisfying $ C dr. This allows 
partitioning terms of dr into two sets: those terms that are members of both dr and d>, and those terms that 
are members of dr but not d>. The ensemble difference terminology of definition !A. 2. 3! poses the minuend, 
subtrahend, and remainder of this basis as respectively dr, d), and dr \ d>. 

Terminology. This partition is important when interpreted as systems theory. The minuend dr generates 
a choice space dr called the stimulus space. The subtrahend $ generates the persistent (alternatively 
response) space d>. The remainder dr \ d> generates the event space H \ ‘^’)- 

Theorem A.4.1. Let (dr, d>) be a basis. The persistent (d>) and volatile (T = dr \ d>) generating ensembles 
are disjoint and complementary with respect to the generating ensemble dr of the stimulus space. Expressed 
in dyadic product, 

d- = $T 


Proof. Since (dr, d>) is a basis, then d* C dr by definition !2.1.1! With that result and by lemma lA.2.41 the 
subtrahend d> and remainder dr \ d> are disjoint and complementary with respect to dr. 

The dyadic product recapitulates these results. Since dr \ d> and d* are disjoint the dyadic product [dr \ d>] [d>] 
is well-defined. By definition lA.3.101 [dr \ d)][d>] = (dr \ d>) U d> = dr. □ 

Remark. The case d* = 0 does not occur naturally in systems theory because no proper system is unrespon¬ 
sive to all possible stimuli. When dr = d*, the basis has no event space through which to receive transient 
external stimuli. 
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Appendix B 


Uncoverable processes 


Although any procedure does cover some process, some processes have no covering procedure. This disparity 
arises naturally through limiting the quantity of distinct functionalities participating in a procedure. Here the 
constraining mechanism is the catalog of functionality, whose membership must be finite. This stricture’s 
rationale is to emulate software, which is presumed to possess finite functionality. 

Uncoverability of a process entails more than failure of definition l2.2.6l in the case of a particular procedure; 
uncoverability implies failure for any procedure constructed from a given catalog of functionality. With 
process {f„}: N T* x $ and catalog of functionality uncoverability requires an i G N and term 
fi = f such that f ^ / for each / G 


B.l Pigeonhole principle 

The pigeonhole principle can verify uncoverability, but not coverability. Suppose two frames have the same 
abscissa but different ordinates. No single functionality can cover both frames, since functionalities are 
mappings. In more general analogy, let distinct equi-abscissa frames be pigeons, while functionalities be 
pigeonholes. If more than N pigeons occupy N pigeonholes, then some pigeonhole contains more than one 
pigeon, which is not allowed. 


B.2 Underpigeonholing 

The/rame set derived from the initial segment of length k of process {f„} is the set F = {f: f = and i < 
k}. This set’s ?/;-homogeneous subset contains only those frames having initial condition (abscissa) ■!/) G H 
The corresponding end-condition set consists of those frames’ ordinates. Obviously the ?/;-homogeneous end- 
condition set must have cardinality {tpjcj)) = fi and i < k}\ < k. The limit supremum(respectinginitial 

segment length and homogeneity choice) presents the process’ worst case scenario. 

Definition B.2.1. Let (T', <I>) be a basis for process {f„}: N — H ^ 0 catalog of functionality 
Catalog ^ under-pigeonholes process {f„} if 


\^\ < lim ( sup 

n-)-oo \y,gjq 
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Whenever the limit supremum fails to converge, no procedure based on a (finite) catalog can cover the process. 
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Appendix C 


MIL-STD-882 and the CPP 


MIL-STD-882 is the United States Department of Defense Standard Practice for System Safety. Revision E 
became effective May 11, 2012. In preference to accident, this standard prefers the term mishap, which it 
defines as “an event or series of events resulting in unintentional death, injury, occupational illness, damage 
to or loss of equipment or property, or damage to the environment.” 

Its safety risk assessment method uses the compound Poisson process (CPP) to represent the timing and 
severity of mishaps. MIL-STD-882E partitions compound Poisson processes into a lattice of categories and 
levels that covers the range of interest. The category is a variable which, in an explicit range [1-4], expresses 
the expectation {pl) of the CPP loss random variable L. The level is a variable which, in an explicit range 
[A-E], expresses the rate or intensity A of the CPP. 

The system of categories and levels agrees with the limits of discernibility of human intuition. Two different 
compound Poisson processes having the same category and level are indeed different but in practice are 
indistinguishable. This characteristic imposes a logarithmic organization on the categories and levels. 


Description 

Severity 

Category 

Mishap Result Criteria 

Catastrophic 

1 

Could result in one or more of the following: death, permanent total 
disability, irreversible significant environmental impact, or monetary loss 
equal to or exceeding $10M. 

Critical 

2 

Could result in one or more of the following: permanent partial disabil¬ 
ity, injuries or occupational illness that may result in hospitalization of 
at least three personnel, reversible significant environmental impact, or 
monetary loss equal to or exceeding $1M but less than $10M. 

Marginal 

3 

Could result in one or more of the following: injury or occupational 
illness resulting in one or more lost work day(s), reversible moderate 
environmental impact, or monetary loss equal to or exceeding $ 1OOK but 
less than $1M. 

Negligible 

4 

Could result in one or more of the following: injury or occupational 
illness not resulting in a lost work day, minimal environmental impact, 
or monetary loss less than $100K. 


Table C.l: MIL-STD-882E Severity Categories 


45 



















Description 

Level 

Specific Individual Item 

Fleet or Inventory 

Erequent 

A 

Likely to occur often in the life of an 
item. 

Continuously experienced. 

Probable 

B 

Likely to occur often in the life of an 
item. 

Will occur frequently. 

Occasional 

C 

Likely to occur sometime in the life 
of an item. 

Will occur several times. 

Remote 

D 

Unlikely, but possible to occur in the 
life of an item. 

Unlikely, but can reasonably be ex¬ 
pected to occur. 

Improbable 

E 

So unlikely, it can be assumed oc¬ 
currence may not be experienced in 
the life of an item. 

Unlikely to occur, but possible. 

Eliminated 

E 

Incapable of occurrence. This level is used when potential hazards are 
identified and later eliminated. 


Table C.2: MIL-STD-882E Probability Levels 


Table 2 above is a qualitative description of levels. Table 3 below, appearing in MIL-STD-882E Appendix A, 
outlines certain pitfalls in accomplishing the same task quantitatively. Numerical expression of the intensity 
or rate of occurrence is generally preferable to mere qualitative phrasing. Eor quantitative description, the 
intensity is the ratio of mishaps (numerator) to some measure of exposure (denominator). 


Description 

Level 

Individual Item 

Fleet/Inventory* 

Quantitative 

Erequent 

A 

Likely to occur often in the 
life of an item 

Continuously experienced. 

Probability of occurrence 
greater than or equal to 
10 -^ 

Probable 

B 

Will occur several times in 

the life of an item 

Will occur frequently. 

Probability of occurrence 
less than 10“^ but greater 
than or equal to 10“^. 

Occasional 

C 

Likely to occur sometime 
in the life of an item 

Will occur several times. 

Probability of occurrence 
less than 10“^ but greater 
than or equal to 10“^. 

Remote 

D 

Unlikely, but possible to 
occur in the life of an item 

Unlikely but can reason¬ 
ably be expected to occur. 

Probability of occurrence 
less than 10“^ but greater 
than or equal to 10 

Improbable 

E 

So unlikely, it can be as¬ 
sumed occurrence may not 
be experienced in the life 
of an item 

Unlikely to occur, but pos¬ 
sible. 

Probability of occurrence 
less than 10“®. 

Eliminated 

E 

Incapable of occurrence within the life of an item. This category is used when 
potential hazards are identified and later eliminated. 


Table C.3: MIL-STD-882E Example Probability Levels* The size of the fleet or inventory should be defined 


The false hegemony of a single intuitively understood measure of exposure will now be examined. We will 
find that, however well-intended. Table 3 lacks essential explanation. Without that, it is an oversimplification. 

“Natural” measures of exposure must embrace a variety of units, some examples of which are: the life of 
one item, number of missile firings, flight hours, miles driven, or years of service. Eor example, an exposure 
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measure of miles driven is expected silently to exclude substantial periods when the system is out of use. 
Similar would be any situation-based measure of exposure having a sizable portion of time spent in unused 
status (time not counted). This topic appeared in ^3.2.21 the intermittant compound Poisson process. The 
natural unit of exposure can be tuned to the culture of a particular hazard. However, lacking conversion 
capability, this freedom of choice leads to the problem of a system composed of a heterogeneous plethora of 
non-comparable exposure units. 

What is behind this incomparability? Natural units are important but incomplete - MIL-STD-882E needs 
additional factors to paint a full quantitative picture. There is need for conversion of various natural units 
into a single common standard unit, so that comparison involves only observation of magnitudes, without 
pondering the meaning of different units. This is particularly important in the cases of many ambiguous 
references to “life.” Suppose we arbitrarily standardize time duration at one year. We then dehne a conversion 
factor p, which means that p years constitute a life. A measure r quantifies what fraction of time the system’s 
mission is inactive or idle. A conversion factor for remaining units must be established; without specifying 
what units remain to be converted, we can say that the unit conversion calculus of elementary physics results 
in some linear coefficient k. With N a natural exposure unit and U a standard measure, what we have stated 
so far is summarized in the following form: 


P 

Standard units measure statistical risk as resulting from exposure to an intermittent compound Poisson pro¬ 
cess. These standard units may not be a proper exposure, but measure the exposure expected in a year’s 
duration. For this reason we celebrate the importance of the role of pure natural units; it is important to 
understand risk as proportionate to exposure. To understand this importance, imagine yourself as the one 
exposed to a transient but intense hazard. But that does not imply the dismissal of statistical risk as a concern; 
it is also part of the risk analysis picture to consider how much risk exposure occurs within a given duration. 
This is the role of the standard unit. 

Another complicating factor is the use of the term “level” itself. A level is a designator for a class of possibly 
intermittent indistinguishable probability distributions. Rather than being clear about this, MIL-STD-882E 
equivocates greatly in Table 3, confusing this designator with a literal probability statement. Only after 
full quantitative analysis is completed (p, t, and k known) can dehnite statements concerning probability be 
asserted. It is insufficient to mandate vague documentation of “all numerical definitions of probability used 
in risk assessments” without further guidance. 

Table 4 below is a categorical rendering of the hyperbola of statistical risk. Definition l3.2.3l asserts h = XpL- 
Excepting the administrative level “Eliminated”, this cross-tabulation presents the level (A) on the vertical 
axis and the catego^ (pl) along the horizontal axis. For each combination of level and category, another 
categorical variablqj represents the statistical risk h = with values: High, Serious, Medium, and Low. 

This table suffers the same ambiguity as in Table 3. MIL-STD-882’s dehnitions are clearly inadequate for 
quantitative analysis. Through equivocation, exposure to an intermittent compound Poisson process is re¬ 
garded as not different than exposure to a compound Poisson process, despite that the difference becomes 
obvious through the linear factor (1 — t). MIL-STD-882 is an evolving document in its fifth major revision; 
let us hope these ambiguities are resolved in the future. 


*Not to be confused with the categorical variable named “category” 
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SEVERITY / 
PROBABILITY 

Catastrophic 

(1) 

Critical 

(2) 

Marginal 

(3) 

Negligible 

(4) 

Erequent (A) 

High 

High 

Serious 

Medium 

Probable (B) 

High 

High 

Serious 

Medium 

Occasional (C) 

High 

Serious 

Medium 

Low 

Remote (D) 

Serious 

Medium 

Medium 

Low 

Improbable (E) 

Medium 

Medium 

Medium 

Low 

Eliminated (E) 

1 Eliminated 


Table C.4: MIL-STD-882E Risk Assessment Matrix 
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Appendix D 


Other approaches to automata 


D.l Deterministic finite automaton 

This depiction of the deterministic finite automaton i) appears in Wikipedia: 

An automaton is represented formally by the 5-tuple {Q, E, 5, qo, A), where: 

• Q is a finite set of states. 

• E is a finite set of symbols, called the alphabet of the automaton. 

• (5 is the transition function, that is, <5: Q x E —>■ Q. 

• qo is the start state, that is, the state which the automaton is in when no input has been 
processed yet, where qo G Q. 

• A is a set of states of Q (i.e. A C Q) called accept states. 

An approach for engineers is found in ||4l . 
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